2024-10-05 17:01:49 -04:00
|
|
|
import { Request, Response, NextFunction } from "express";
|
|
|
|
|
import createHttpError from "http-errors";
|
|
|
|
|
import { z } from "zod";
|
|
|
|
|
import { fromError } from "zod-validation-error";
|
|
|
|
|
import HttpCode from "@server/types/HttpCode";
|
2025-01-01 21:41:31 -05:00
|
|
|
import { response } from "@server/lib";
|
2024-10-05 17:01:49 -04:00
|
|
|
import { db } from "@server/db";
|
|
|
|
|
import { passwordResetTokens, users } from "@server/db/schema";
|
|
|
|
|
import { eq } from "drizzle-orm";
|
2024-12-22 16:59:30 -05:00
|
|
|
import { alphabet, generateRandomString, sha256 } from "oslo/crypto";
|
2024-10-05 17:01:49 -04:00
|
|
|
import { createDate } from "oslo";
|
|
|
|
|
import logger from "@server/logger";
|
2024-10-13 17:13:47 -04:00
|
|
|
import { TimeSpan } from "oslo";
|
2025-01-01 21:41:31 -05:00
|
|
|
import config from "@server/lib/config";
|
2024-12-22 16:59:30 -05:00
|
|
|
import { sendEmail } from "@server/emails";
|
|
|
|
|
import ResetPasswordCode from "@server/emails/templates/ResetPasswordCode";
|
|
|
|
|
import { hashPassword } from "@server/auth/password";
|
2024-10-05 17:01:49 -04:00
|
|
|
|
2024-12-22 16:59:30 -05:00
|
|
|
export const requestPasswordResetBody = z
|
|
|
|
|
.object({
|
2025-01-21 18:36:50 -05:00
|
|
|
email: z
|
|
|
|
|
.string()
|
|
|
|
|
.email()
|
|
|
|
|
.transform((v) => v.toLowerCase())
|
2024-12-22 16:59:30 -05:00
|
|
|
})
|
|
|
|
|
.strict();
|
2024-10-05 17:01:49 -04:00
|
|
|
|
|
|
|
|
export type RequestPasswordResetBody = z.infer<typeof requestPasswordResetBody>;
|
|
|
|
|
|
|
|
|
|
export type RequestPasswordResetResponse = {
|
|
|
|
|
sentEmail: boolean;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
export async function requestPasswordReset(
|
|
|
|
|
req: Request,
|
|
|
|
|
res: Response,
|
2024-12-22 16:59:30 -05:00
|
|
|
next: NextFunction
|
2024-10-05 17:01:49 -04:00
|
|
|
): Promise<any> {
|
|
|
|
|
const parsedBody = requestPasswordResetBody.safeParse(req.body);
|
|
|
|
|
|
|
|
|
|
if (!parsedBody.success) {
|
|
|
|
|
return next(
|
|
|
|
|
createHttpError(
|
|
|
|
|
HttpCode.BAD_REQUEST,
|
2024-12-22 16:59:30 -05:00
|
|
|
fromError(parsedBody.error).toString()
|
|
|
|
|
)
|
2024-10-05 17:01:49 -04:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const { email } = parsedBody.data;
|
|
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
const existingUser = await db
|
|
|
|
|
.select()
|
|
|
|
|
.from(users)
|
|
|
|
|
.where(eq(users.email, email));
|
|
|
|
|
|
|
|
|
|
if (!existingUser || !existingUser.length) {
|
|
|
|
|
return next(
|
|
|
|
|
createHttpError(
|
|
|
|
|
HttpCode.BAD_REQUEST,
|
2024-12-22 16:59:30 -05:00
|
|
|
"A user with that email does not exist"
|
|
|
|
|
)
|
2024-10-05 17:01:49 -04:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2025-01-21 18:36:50 -05:00
|
|
|
const token = generateRandomString(8, alphabet("0-9", "A-Z", "a-z"));
|
2024-12-24 16:00:02 -05:00
|
|
|
await db.transaction(async (trx) => {
|
|
|
|
|
await trx
|
|
|
|
|
.delete(passwordResetTokens)
|
|
|
|
|
.where(eq(passwordResetTokens.userId, existingUser[0].userId));
|
2024-10-05 17:01:49 -04:00
|
|
|
|
2024-12-24 16:00:02 -05:00
|
|
|
const tokenHash = await hashPassword(token);
|
2024-10-05 17:01:49 -04:00
|
|
|
|
2024-12-24 16:00:02 -05:00
|
|
|
await trx.insert(passwordResetTokens).values({
|
|
|
|
|
userId: existingUser[0].userId,
|
|
|
|
|
email: existingUser[0].email,
|
|
|
|
|
tokenHash,
|
|
|
|
|
expiresAt: createDate(new TimeSpan(2, "h")).getTime()
|
|
|
|
|
});
|
2024-10-05 17:01:49 -04:00
|
|
|
});
|
|
|
|
|
|
2025-01-07 22:41:35 -05:00
|
|
|
const url = `${config.getRawConfig().app.dashboard_url}/auth/reset-password?email=${email}&token=${token}`;
|
2024-12-22 16:59:30 -05:00
|
|
|
|
2025-01-28 21:23:19 -05:00
|
|
|
if (!config.getRawConfig().email) {
|
2025-02-05 22:46:33 -05:00
|
|
|
logger.info(
|
|
|
|
|
`Password reset requested for ${email}. Token: ${token}.`
|
|
|
|
|
);
|
2025-01-28 21:23:19 -05:00
|
|
|
}
|
|
|
|
|
|
2024-12-22 16:59:30 -05:00
|
|
|
await sendEmail(
|
|
|
|
|
ResetPasswordCode({
|
|
|
|
|
email,
|
|
|
|
|
code: token,
|
|
|
|
|
link: url
|
|
|
|
|
}),
|
|
|
|
|
{
|
2025-01-28 21:26:34 -05:00
|
|
|
from: config.getNoReplyEmail(),
|
2024-12-22 16:59:30 -05:00
|
|
|
to: email,
|
|
|
|
|
subject: "Reset your password"
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
|
2024-10-05 17:01:49 -04:00
|
|
|
return response<RequestPasswordResetResponse>(res, {
|
|
|
|
|
data: {
|
2024-12-22 16:59:30 -05:00
|
|
|
sentEmail: true
|
2024-10-05 17:01:49 -04:00
|
|
|
},
|
|
|
|
|
success: true,
|
|
|
|
|
error: false,
|
2024-12-22 16:59:30 -05:00
|
|
|
message: "Password reset requested",
|
|
|
|
|
status: HttpCode.OK
|
2024-10-05 17:01:49 -04:00
|
|
|
});
|
|
|
|
|
} catch (e) {
|
2024-12-21 21:01:12 -05:00
|
|
|
logger.error(e);
|
2024-10-05 17:01:49 -04:00
|
|
|
return next(
|
|
|
|
|
createHttpError(
|
|
|
|
|
HttpCode.INTERNAL_SERVER_ERROR,
|
2024-12-22 16:59:30 -05:00
|
|
|
"Failed to process password reset request"
|
|
|
|
|
)
|
2024-10-05 17:01:49 -04:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
