Add expiry on sign up draft (to prevent leakage of personal information)

[ndcode_site.git] / my_account / sign_up / index.html.jst

diff --git a/my_account/sign_up/index.html.jst b/my_account/sign_up/index.html.jst
index 228b5b0..295b238 100644 (file)
--- a/my_account/sign_up/index.html.jst
+++ b/my_account/sign_up/index.html.jst
@@ -1,4 +1,5 @@
 let logjson = (await import('@ndcode/logjson')).default
+let XDate = require('xdate')
 
 return async env => {
   let breadcrumbs = await _require('/_lib/breadcrumbs.jst')
@@ -8,19 +9,38 @@ return async env => {
   let session_cookie = await _require('/_lib/session_cookie.jst')
 
   // preload draft details if any
-  let transaction = await env.site.database.Transaction(), details
+  let transaction = await env.site.database.Transaction(), draft_details
   try {
     // initialize env.session_key, set cookie in env.response
     let session = await session_cookie(env, transaction)
 
-    details = await logjson.logjson_to_json(
-      await session.get('sign_up_draft', {})
-    )
+    let sign_up_draft = await session.get('sign_up_draft')
+    draft_details =
+      sign_up_draft !== undefined &&
+        XDate.now() < await logjson.logjson_to_json(
+          await sign_up_draft.get('expires')
+        ) ? {
+          email: await logjson.logjson_to_json(
+            await sign_up_draft.get('email')
+          ),
+          given_names: await logjson.logjson_to_json(
+            await sign_up_draft.get('given_names')
+          ),
+          family_name: await logjson.logjson_to_json(
+            await sign_up_draft.get('family_name')
+          ),
+          contact_me: await logjson.logjson_to_json(
+            await sign_up_draft.get('contact_me')
+          )
+        } : null
+
+    await transaction.commit()
   }
-  finally {
+  catch (error) {
     transaction.rollback()
+    throw error
   }
-  console.log('details', JSON.stringify(details))
+  console.log('draft_details', JSON.stringify(draft_details))
 
   await navbar(
     env,
@@ -32,6 +52,8 @@ return async env => {
 
       p {'Signing up allows you to leave comments on our blog and receive communications from us.'}
 
+      p {'Your given names are visible to other users if you comment on our blog. Your email and family name remain private. If your name is one word or does not fit given names/family name pattern, then please enter given names only.'}
+
       div.accordion#accordion.mb-5(role="tablist" aria-multiselectable="true") {
         div.card#step-1 {
           div.card-header#step-1-heading(role="tab") {
@@ -58,13 +80,13 @@ return async env => {
                 div.col-md-6 {
                   div.form-group {
                     label.form-label(for="given-names") {'Given names *'}
-                    input.form-control#given-names(type="text" value=details.given_names || '' placeholder="Your given names" required="required" maxlength=256) {}
+                    input.form-control#given-names(type="text" value=draft_details ? draft_details.given_names : '' placeholder="Your given names" required="required" maxlength=256) {}
                   }
                 }
                 div.col-md-6 {
                   div.form-group {
                     label.form-label(for="family-name") {'Family name'}
-                    input.form-control#family-name(type="text" value=details.family_name || '' placeholder="Your family name" maxlength=256) {}
+                    input.form-control#family-name(type="text" value=draft_details ? draft_details.family_name : '' placeholder="Your family name" maxlength=256) {}
                   }
                 }
               }
@@ -72,7 +94,7 @@ return async env => {
                 div.col-md-6 {
                   div.form-group {
                     label.form-label(for="email") {'Email *'}
-                    input.form-control#email(type="email" value=details.email || '' placeholder="Your email address" required="required" maxlength=256) {}
+                    input.form-control#email(type="email" value=draft_details ? draft_details.email : '' placeholder="Your email address" required="required" maxlength=256) {}
                   }
                 }
                 div.col-md-6 {
@@ -85,7 +107,7 @@ return async env => {
               div.row {
                 div.col-md-12 {
                   div.custom-control.custom-checkbox {
-                    if (details.contact_me === undefined || details.contact_me)
+                    if (!draft_details || draft_details.contact_me)
                       input.custom-control-input#contact-me(type="checkbox" checked="checked") {}
                     else
                       input.custom-control-input#contact-me(type="checkbox") {}
@@ -96,7 +118,7 @@ return async env => {
                   }
                 }
               }
-              div.row.align-items-center {
+              div.row.align-items-center.mb-3 {
                 div.'col-md-6' {
                   div.form-group {
                     label.form-label(for="verification-code") {'Verification code *'}
@@ -111,9 +133,8 @@ return async env => {
                 }
               }
 
-              p.mt-3 {'Note: If your name is one word or does not fit given names/family name pattern, then please enter given names only. Your given names are visible to other users if you comment on our blog. Your email and family name remain private.'}
-
               button.btn.btn-success#step-1-continue(type="button") {'Continue'}
+
               p.'mt-3'.mb-0 {'* These fields are required.'}
             }
           }
@@ -267,7 +288,7 @@ return async env => {
                 new Problem(
                   // title
                   'Bad request',
-                  // details
+                  // detail
                   (error.stack || error.message).toString()
                   // status
                   400
@@ -304,7 +325,7 @@ return async env => {
                 new Problem(
                   // title
                   'Bad request',
-                  // details
+                  // detail
                   (error.stack || error.message).toString()
                   // status
                   400