Add token based security feature

In the current setup users could be tricked into deleting their data by
providing a malicious link like `[click me](/me/delete)`. This commit
prevents such an easy attack and need the user's deleteToken to get his
data deleted. In case someone requests his deletion by email you can
also ask him for this token.

We can add a GUI that shows it later on.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>

1 files changed, 23 insertions, 4 deletions

diff --git a/lib/response.js b/lib/response.js
index 2ea2f1c6..b1b89c78 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -56,7 +56,10 @@ function responseError (res, code, detail, msg) {
 }
 
 function showIndex (req, res, next) {
-  res.render(config.indexPath, {
+  var authStatus = req.isAuthenticated()
+  var deleteToken = ''
+
+  var data = {
     url: config.serverURL,
     useCDN: config.useCDN,
     allowAnonymous: config.allowAnonymous,
@@ -74,12 +77,28 @@ function showIndex (req, res, next) {
     email: config.isEmailEnable,
     allowEmailRegister: config.allowEmailRegister,
     allowPDFExport: config.allowPDFExport,
-    signin: req.isAuthenticated(),
+    signin: authStatus,
     infoMessage: req.flash('info'),
     errorMessage: req.flash('error'),
     privacyStatement: fs.existsSync(path.join(config.docsPath, 'privacy.md')),
-    termsOfUse: fs.existsSync(path.join(config.docsPath, 'terms-of-use.md'))
-  })
+    termsOfUse: fs.existsSync(path.join(config.docsPath, 'terms-of-use.md')),
+    deleteToken: deleteToken
+  }
+
+  if (authStatus) {
+    models.User.findOne({
+      where: {
+        id: req.user.id
+      }
+    }).then(function (user) {
+      if (user) {
+        data.deleteToken = user.deleteToken
+        res.render(config.indexPath, data)
+      }
+    })
+  } else {
+    res.render(config.indexPath, data)
+  }
 }
 
 function responseHackMD (res, note) {