added change password endpoint

2025-08-03 09:34:48 +02:00 · 2024-10-05 15:11:51 -04:00 · 2024-10-05 15:11:51 -04:00 · e7080c4aa8
commit e7080c4aa8
parent 86fb43d570
9 changed files with 207 additions and 71 deletions
--- a/server/routers/auth/changePassword.ts
+++ b/server/routers/auth/changePassword.ts
@ -0,0 +1,113 @@
+import { Request, Response, NextFunction } from "express";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import { fromError } from "zod-validation-error";
+import lucia, { unauthorized } from "@server/auth";
+import { z } from "zod";
+import { db } from "@server/db";
+import { User, users } from "@server/db/schema";
+import { eq } from "drizzle-orm";
+import { response } from "@server/utils";
+import { hashPassword, verifyPassword } from "./password";
+import { verifyTotpCode } from "./verifyTotpCode";
+import { passwordSchema } from "./passwordSchema";
+import logger from "@server/logger";
+
+export const changePasswordBody = z.object({
+    oldPassword: z.string(),
+    newPassword: passwordSchema,
+    code: z.string().optional(),
+});
+
+export type ChangePasswordBody = z.infer<typeof changePasswordBody>;
+
+export type ChangePasswordResponse = {
+    codeRequested?: boolean;
+};
+
+export async function changePassword(
+    req: Request,
+    res: Response,
+    next: NextFunction,
+): Promise<any> {
+    const parsedBody = changePasswordBody.safeParse(req.body);
+
+    if (!parsedBody.success) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                fromError(parsedBody.error).toString(),
+            ),
+        );
+    }
+
+    const { newPassword, oldPassword, code } = parsedBody.data;
+    const user = req.user as User;
+
+    try {
+        if (newPassword === oldPassword) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "New password cannot be the same as the old password",
+                ),
+            );
+        }
+
+        const validPassword = await verifyPassword(
+            oldPassword,
+            user.passwordHash,
+        );
+        if (!validPassword) {
+            return next(unauthorized());
+        }
+
+        if (user.twoFactorEnabled) {
+            if (!code) {
+                return response<{ codeRequested: boolean }>(res, {
+                    data: { codeRequested: true },
+                    success: true,
+                    error: false,
+                    message: "Two-factor authentication required",
+                    status: HttpCode.ACCEPTED,
+                });
+            }
+            const validOTP = await verifyTotpCode(code!, user.twoFactorSecret!);
+
+            if (!validOTP) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "The two-factor code you entered is incorrect",
+                    ),
+                );
+            }
+        }
+
+        const hash = await hashPassword(newPassword);
+
+        await db
+            .update(users)
+            .set({
+                passwordHash: hash,
+            })
+            .where(eq(users.id, user.id));
+
+        await lucia.invalidateUserSessions(user.id);
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Password changed successfully",
+            status: HttpCode.OK,
+        });
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to authenticate user",
+            ),
+        );
+    }
+}