From c247218613c29a42b96c7d088b2e80f0aab0c3ed Mon Sep 17 00:00:00 2001
From: Al Beano <albino@autistici.org>
Date: Sun, 13 Aug 2017 19:58:22 +0100
Subject: [PATCH] Send confirmation emails for account updates

---
 dbupdate/1.sql          |  7 +++++++
 lib/cyberman/Account.pm | 42 ++++++++++++++++++++++++++++++++++++++---
 schema.sql              | 10 +++++++++-
 views/account.tt        |  2 +-
 views/email/update.tt   |  8 ++++++++
 5 files changed, 64 insertions(+), 5 deletions(-)
 create mode 100644 dbupdate/1.sql
 create mode 100644 views/email/update.tt

diff --git a/dbupdate/1.sql b/dbupdate/1.sql
new file mode 100644
index 0000000..e77c649
--- /dev/null
+++ b/dbupdate/1.sql
@@ -0,0 +1,7 @@
+create table cyberman (
+  id integer primary key,
+  dbrev integer not null
+);
+insert into cyberman (dbrev) values (2);
+
+alter table user add column newemail text;
diff --git a/lib/cyberman/Account.pm b/lib/cyberman/Account.pm
index b974028..fd602cb 100644
--- a/lib/cyberman/Account.pm
+++ b/lib/cyberman/Account.pm
@@ -1,6 +1,7 @@
 package cyberman::Account;
 use Dancer2 appname => "cyberman";
 use Dancer2::Plugin::Database;
+use URI::Escape;
 
 use cyberman::Helper;
 
@@ -73,8 +74,7 @@ post '/account' => sub {
   }
 
   if (param("email") ne $user->{"email"}) {
-
-    # TODO: verify email address here
+    my $conftoken = randstring(16);
 
     database->quick_update (
       "user",
@@ -82,9 +82,18 @@ post '/account' => sub {
         "id" => vars->{"auth"},
       },
       {
-        "email" => param "email",
+        "newemail" => param("email"),
+        "conftoken" => $conftoken,
       },
     );
+
+    my $email = template 'email/update' => {
+      "link" => config->{"mail"}->{"baseurl"} . "/confirm_update?o=" . uri_escape($user->{"email"}) . "&n=" . uri_escape(param "email") . "&t=$conftoken",
+    },
+    {
+      "layout" => undef,
+    };
+    send_email(param("email"), $email);
   }
 
   if ($new_pass) {
@@ -125,4 +134,31 @@ post '/account' => sub {
   };
 };
 
+get '/confirm_update' => sub {
+  my $user = database->quick_select(
+    "user",
+    {
+      "email" => param("o"),
+      "newemail" => param("n"),
+      "conftoken" => param("t"),
+    },
+  );
+
+  if (!$user) {
+    return "No such user/token!";
+  }
+
+  database->quick_update(
+    "user",
+    {
+      "id" => $user->{"id"},
+    },
+    {
+      "email" => param("n"),
+    },
+  );
+
+  template 'confirmed';
+};
+
 true;
diff --git a/schema.sql b/schema.sql
index 6071b0e..9e0bb8a 100644
--- a/schema.sql
+++ b/schema.sql
@@ -1,3 +1,10 @@
+drop table if exists cyberman;
+create table cyberman (
+  id integer primary key,
+  dbrev integer not null
+);
+insert into cyberman (dbrev) values (2);
+
 drop table if exists user;
 create table user (
   id integer primary key,
@@ -5,7 +12,8 @@ create table user (
   password text not null,
   salt text not null,
   active integer not null default 0,
-  conftoken text not null
+  conftoken text not null,
+  newemail text
 );
 
 drop table if exists session;
diff --git a/views/account.tt b/views/account.tt
index d3b523d..8165bc2 100644
--- a/views/account.tt
+++ b/views/account.tt
@@ -4,7 +4,7 @@
   <br />
   <% IF updated %>
   <div class="msgBox">
-    Your account details were updated successfully.
+    Your account details were updated successfully. If you updated your email address, you need to click the link sent to you before the changes can be applied.
   </div>
   <br /><br />
   <% END %>
diff --git a/views/email/update.tt b/views/email/update.tt
new file mode 100644
index 0000000..a3bd3f5
--- /dev/null
+++ b/views/email/update.tt
@@ -0,0 +1,8 @@
+Hello!
+
+You're receiving this email because someone entered your email address into cybNIC.
+
+If this was you and you'd like to use this address, please click this link:
+<% link %>
+
+Otherwise, feel free to ignore this email.