reset password flow

2025-08-04 10:05:53 +02:00 · 2024-12-22 16:59:30 -05:00 · 2024-12-22 16:59:30 -05:00 · f224bfa4ee
commit f224bfa4ee
parent 9c37036a39
22 changed files with 739 additions and 184 deletions
--- a/server/routers/auth/login.ts
+++ b/server/routers/auth/login.ts
@ -3,7 +3,7 @@ import {
    createSession,
    generateSessionToken,
    serializeSessionCookie,
-    verifySession,
+    verifySession
 } from "@server/auth";
 import db from "@server/db";
 import { users } from "@server/db/schema";
@ -17,12 +17,15 @@ import { fromError } from "zod-validation-error";
 import { verifyTotpCode } from "@server/auth/2fa";
 import config from "@server/config";
 import logger from "@server/logger";
+import { verifyPassword } from "@server/auth/password";

-export const loginBodySchema = z.object({
-    email: z.string().email(),
-    password: z.string(),
-    code: z.string().optional(),
-}).strict();
+export const loginBodySchema = z
+    .object({
+        email: z.string().email(),
+        password: z.string(),
+        code: z.string().optional()
+    })
+    .strict();

 export type LoginBody = z.infer<typeof loginBodySchema>;

@ -57,7 +60,7 @@ export async function login(
                success: true,
                error: false,
                message: "Already logged in",
-                status: HttpCode.OK,
+                status: HttpCode.OK
            });
        }

@ -76,15 +79,9 @@ export async function login(

        const existingUser = existingUserRes[0];

-        const validPassword = await verify(
-            existingUser.passwordHash,
+        const validPassword = await verifyPassword(
            password,
-            {
-                memoryCost: 19456,
-                timeCost: 2,
-                outputLen: 32,
-                parallelism: 1,
-            }
+            existingUser.passwordHash
        );
        if (!validPassword) {
            return next(
@ -102,7 +99,7 @@ export async function login(
                    success: true,
                    error: false,
                    message: "Two-factor authentication required",
-                    status: HttpCode.ACCEPTED,
+                    status: HttpCode.ACCEPTED
                });
            }

@ -137,7 +134,7 @@ export async function login(
                success: true,
                error: false,
                message: "Email verification code sent",
-                status: HttpCode.OK,
+                status: HttpCode.OK
            });
        }

@ -146,7 +143,7 @@ export async function login(
            success: true,
            error: false,
            message: "Logged in successfully",
-            status: HttpCode.OK,
+            status: HttpCode.OK
        });
    } catch (e) {
        logger.error(e);
--- a/server/routers/auth/requestPasswordReset.ts
+++ b/server/routers/auth/requestPasswordReset.ts
@ -7,16 +7,22 @@ import { response } from "@server/utils";
 import { db } from "@server/db";
 import { passwordResetTokens, users } from "@server/db/schema";
 import { eq } from "drizzle-orm";
-import { sha256 } from "oslo/crypto";
+import { alphabet, generateRandomString, sha256 } from "oslo/crypto";
 import { encodeHex } from "oslo/encoding";
 import { createDate } from "oslo";
 import logger from "@server/logger";
 import { generateIdFromEntropySize } from "@server/auth";
 import { TimeSpan } from "oslo";
+import config from "@server/config";
+import { sendEmail } from "@server/emails";
+import ResetPasswordCode from "@server/emails/templates/ResetPasswordCode";
+import { hashPassword } from "@server/auth/password";

-export const requestPasswordResetBody = z.object({
-    email: z.string().email(),
-}).strict();
+export const requestPasswordResetBody = z
+    .object({
+        email: z.string().email()
+    })
+    .strict();

 export type RequestPasswordResetBody = z.infer<typeof requestPasswordResetBody>;

@ -27,7 +33,7 @@ export type RequestPasswordResetResponse = {
 export async function requestPasswordReset(
    req: Request,
    res: Response,
-    next: NextFunction,
+    next: NextFunction
 ): Promise<any> {
    const parsedBody = requestPasswordResetBody.safeParse(req.body);

@ -35,8 +41,8 @@ export async function requestPasswordReset(
        return next(
            createHttpError(
                HttpCode.BAD_REQUEST,
-                fromError(parsedBody.error).toString(),
-            ),
+                fromError(parsedBody.error).toString()
+            )
        );
    }

@ -52,8 +58,8 @@ export async function requestPasswordReset(
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
-                    "No user with that email exists",
-                ),
+                    "A user with that email does not exist"
+                )
            );
        }

@ -61,36 +67,47 @@ export async function requestPasswordReset(
            .delete(passwordResetTokens)
            .where(eq(passwordResetTokens.userId, existingUser[0].userId));

-        const token = generateIdFromEntropySize(25);
-        const tokenHash = encodeHex(
-            await sha256(new TextEncoder().encode(token)),
-        );
+        const token = generateRandomString(8, alphabet("0-9", "A-Z", "a-z"));
+        const tokenHash = await hashPassword(token);

        await db.insert(passwordResetTokens).values({
            userId: existingUser[0].userId,
+            email: existingUser[0].email,
            tokenHash,
-            expiresAt: createDate(new TimeSpan(2, "h")).getTime(),
+            expiresAt: createDate(new TimeSpan(2, "h")).getTime()
        });

-        // TODO: send email with link to reset password on dashboard
-        // something like: https://example.com/auth/reset-password?email=${email}&?token=${token}
-        // for now, just log the token
+        const url = `${config.app.base_url}/auth/reset-password?email=${email}&token=${token}`;
+
+        await sendEmail(
+            ResetPasswordCode({
+                email,
+                code: token,
+                link: url
+            }),
+            {
+                from: config.email?.no_reply,
+                to: email,
+                subject: "Reset your password"
+            }
+        );
+
        return response<RequestPasswordResetResponse>(res, {
            data: {
-                sentEmail: true,
+                sentEmail: true
            },
            success: true,
            error: false,
-            message: "Password reset email sent",
-            status: HttpCode.OK,
+            message: "Password reset requested",
+            status: HttpCode.OK
        });
    } catch (e) {
        logger.error(e);
        return next(
            createHttpError(
                HttpCode.INTERNAL_SERVER_ERROR,
-                "Failed to process password reset request",
-            ),
+                "Failed to process password reset request"
+            )
        );
    }
 }
--- a/server/routers/auth/requestTotpSecret.ts
+++ b/server/routers/auth/requestTotpSecret.ts
@ -13,6 +13,7 @@ import { verify } from "@node-rs/argon2";
 import { createTOTPKeyURI } from "oslo/otp";
 import config from "@server/config";
 import logger from "@server/logger";
+import { verifyPassword } from "@server/auth/password";

 export const requestTotpSecretBody = z
    .object({
@ -47,12 +48,7 @@ export async function requestTotpSecret(
    const user = req.user as User;

    try {
-        const validPassword = await verify(user.passwordHash, password, {
-            memoryCost: 19456,
-            timeCost: 2,
-            outputLen: 32,
-            parallelism: 1
-        });
+        const validPassword = await verifyPassword(password, user.passwordHash);
        if (!validPassword) {
            return next(unauthorized());
        }
--- a/server/routers/auth/resetPassword.ts
+++ b/server/routers/auth/resetPassword.ts
@ -8,7 +8,7 @@ import { db } from "@server/db";
 import { passwordResetTokens, users } from "@server/db/schema";
 import { eq } from "drizzle-orm";
 import { sha256 } from "oslo/crypto";
-import { hashPassword } from "@server/auth/password";
+import { hashPassword, verifyPassword } from "@server/auth/password";
 import { verifyTotpCode } from "@server/auth/2fa";
 import { passwordSchema } from "@server/auth/passwordSchema";
 import { encodeHex } from "oslo/encoding";
@ -18,9 +18,10 @@ import logger from "@server/logger";

 export const resetPasswordBody = z
    .object({
-        token: z.string(),
+        email: z.string().email(),
+        token: z.string(), // reset secret code
        newPassword: passwordSchema,
-        code: z.string().optional()
+        code: z.string().optional() // 2fa code
    })
    .strict();

@ -46,27 +47,28 @@ export async function resetPassword(
        );
    }

-    const { token, newPassword, code } = parsedBody.data;
+    const { token, newPassword, code, email } = parsedBody.data;

    try {
-        const tokenHash = encodeHex(
-            await sha256(new TextEncoder().encode(token))
-        );
-
        const resetRequest = await db
            .select()
            .from(passwordResetTokens)
-            .where(eq(passwordResetTokens.tokenHash, tokenHash));
+            .where(eq(passwordResetTokens.email, email));

-        if (
-            !resetRequest ||
-            !resetRequest.length ||
-            !isWithinExpirationDate(new Date(resetRequest[0].expiresAt))
-        ) {
+        if (!resetRequest || !resetRequest.length) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
-                    "Invalid or expired password reset token"
+                    "Invalid password reset token"
+                )
+            );
+        }
+
+        if (!isWithinExpirationDate(new Date(resetRequest[0].expiresAt))) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Password reset token has expired"
                )
            );
        }
@ -112,6 +114,20 @@ export async function resetPassword(
            }
        }

+        const isTokenValid = await verifyPassword(
+            token,
+            resetRequest[0].tokenHash
+        );
+
+        if (!isTokenValid) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Invalid password reset token"
+                )
+            );
+        }
+
        const passwordHash = await hashPassword(newPassword);

        await invalidateAllSessions(resetRequest[0].userId);
@ -123,7 +139,7 @@ export async function resetPassword(

        await db
            .delete(passwordResetTokens)
-            .where(eq(passwordResetTokens.tokenHash, tokenHash));
+            .where(eq(passwordResetTokens.email, email));

        // TODO: send email to user confirming password reset

--- a/server/routers/auth/signup.ts
+++ b/server/routers/auth/signup.ts
@ -21,6 +21,7 @@ import {
 import { ActionsEnum } from "@server/auth/actions";
 import config from "@server/config";
 import logger from "@server/logger";
+import { hashPassword } from "@server/auth/password";

 export const signupBodySchema = z.object({
    email: z.string().email(),
@ -51,12 +52,7 @@ export async function signup(

    const { email, password } = parsedBody.data;

-    const passwordHash = await hash(password, {
-        memoryCost: 19456,
-        timeCost: 2,
-        outputLen: 32,
-        parallelism: 1,
-    });
+    const passwordHash = await hashPassword(password);
    const userId = generateId(15);

    try {