Add endpoints for password resrt

Author: MrBartusek

apps/api/src/auth/auth.controller.ts

@@ -19,6 +19,7 @@ import { AuthService } from './auth.service';
 import { UserRegisterDto } from './dto/user-register.dto';
 import { AuthenticatedGuard } from './guards/authenticated.guard';
 import { LocalAuthGuard } from './guards/local-auth.guard';
+import { ResetPasswordDto } from './dto/reset-password.dto';
 
 @Controller('auth')
 @ApiTags('auth')
@@ -68,7 +69,7 @@ export class AuthController {
 	@UseGuards(AuthenticatedGuard)
 	async startEmailConfirmation(@Req() request: Request): Promise<any> {
 		const userId = new Types.ObjectId(request.user.id);
-		await this.authService.retryConfirmationEmail(userId);
+		await this.authService.sendEmailConfirmation(userId);
 		return { statusCode: 200 };
 	}
 
@@ -80,4 +81,19 @@ export class AuthController {
 		const user = await this.authService.confirmUserEmail(userId, token);
 		return User.toPrivateDto(user);
 	}
+
+	@Post('reset-password/start')
+	@UseGuards(AuthenticatedGuard)
+	async startPasswordReset(@Query('email') email: string): Promise<any> {
+		await this.authService.sendPasswordResetEmail(email);
+		return { statusCode: 200 };
+	}
+
+	@Post('reset-password/reset')
+	@UseGuards(AuthenticatedGuard)
+	async resetPassword(@Body() dto: ResetPasswordDto): Promise<any> {
+		const userId = new Types.ObjectId(dto.user);
+		await this.authService.resetUserPassword(userId, dto.token, dto.password);
+		return { statusCode: 200 };
+	}
 }

apps/api/src/auth/auth.service.ts

@@ -1,15 +1,15 @@
 import { BadRequestException, Injectable, Logger, NotFoundException } from '@nestjs/common';
 import * as bcrypt from 'bcrypt';
+import { differenceInMinutes } from 'date-fns';
 import { Types } from 'mongoose';
 import { EmailsService } from '../emails/emails.service';
 import { UserDocument } from '../models/users/schemas/user.schema';
+import { UsersTokenService } from '../models/users/users-token.service';
 import { UsersService } from '../models/users/users.service';
 import { UserRegisterDto } from './dto/user-register.dto';
 import { EmailConfirmTemplate } from './templates/email-confirm.template';
-import { UsersTokenService } from '../models/users/users-token.service';
-import { EMAIL_CONFIRM_TOKEN } from './types/emailTokenTypes';
-import { log } from 'console';
-import { differenceInDays, differenceInMinutes } from 'date-fns';
+import { PasswordRestTemplate } from './templates/password-reset.template';
+import { EMAIL_CONFIRM_TOKEN, PASSWORD_RESET_TOKEN } from './types/emailTokenTypes';
 
 @Injectable()
 export class AuthService {
@@ -22,15 +22,15 @@ export class AuthService {
 	private readonly logger = new Logger(AuthService.name);
 
 	async registerUser(data: UserRegisterDto): Promise<UserDocument> {
-		const hash = await bcrypt.hash(data.password, 12);
+		const hash = await this.hashPassword(data.password);
 
 		const user = await this.usersService.create({
 			username: data.username,
 			email: data.email,
 			passwordHash: hash,
 		});
 
-		await this.sendEmailConfirmation(user).catch((error) => {
+		await this.sendEmailConfirmation(user._id).catch((error) => {
 			this.logger.error(`Failed to send initial confirmation E-mail ${error}`);
 		});
 
@@ -53,7 +53,7 @@ export class AuthService {
 		}
 	}
 
-	async confirmUserEmail(userId: Types.ObjectId, token: string): Promise<any> {
+	async confirmUserEmail(userId: Types.ObjectId, token: string): Promise<UserDocument> {
 		const tokenValid = await this.usersTokenService.validateToken({
 			userId,
 			token,
@@ -68,26 +68,40 @@ export class AuthService {
 		return this.usersService.setConfirmed(userId, true);
 	}
 
-	async retryConfirmationEmail(userId: Types.ObjectId) {
+	async resetUserPassword(
+		userId: Types.ObjectId,
+		token: string,
+		password: string,
+	): Promise<UserDocument> {
+		const tokenValid = await this.usersTokenService.validateToken({
+			userId,
+			token,
+			type: PASSWORD_RESET_TOKEN,
+		});
+
+		if (!tokenValid) {
+			throw new BadRequestException('This password reset token is invalid or expired');
+		}
+
+		await this.usersTokenService.invalidateToken(userId, token);
+
+		// Confirm email on password reset
+		await this.usersService.setConfirmed(userId, true);
+
+		const hash = await this.hashPassword(password);
+		return this.usersService.findOneByIdAndUpdate(userId, { 'auth.password': hash });
+	}
+
+	async sendEmailConfirmation(userId: Types.ObjectId) {
 		const user = await this.usersService.findById(userId);
 		if (!user) throw new NotFoundException('User not found');
 
 		if (user.profile.isConfirmed) {
 			throw new BadRequestException('This user E-mail address is already confirmed');
 		}
 
-		const lastRetry = await this.usersTokenService.getLastRetry(userId, EMAIL_CONFIRM_TOKEN);
-		if (lastRetry) {
-			const minutesDiff = differenceInMinutes(new Date(), lastRetry);
-			if (minutesDiff < 5) {
-				throw new BadRequestException('Please wait before sending next confirmation email');
-			}
-		}
-
-		return this.sendEmailConfirmation(user);
-	}
+		await this.validateIfCanSendEmail(userId, EMAIL_CONFIRM_TOKEN);
 
-	async sendEmailConfirmation(user: UserDocument) {
 		const token = await this.usersTokenService.generateAndSaveToken({
 			userId: user._id,
 			type: EMAIL_CONFIRM_TOKEN,
@@ -100,4 +114,40 @@ export class AuthService {
 			text: content.toString(),
 		});
 	}
+
+	async sendPasswordResetEmail(email: string) {
+		const user = await this.usersService.findByEmail(email);
+		if (!user) throw new NotFoundException('This E-mail is not associated with any user account!');
+
+		await this.validateIfCanSendEmail(user._id, PASSWORD_RESET_TOKEN);
+
+		const token = await this.usersTokenService.generateAndSaveToken({
+			userId: user._id,
+			type: PASSWORD_RESET_TOKEN,
+		});
+		const content = new PasswordRestTemplate(user._id, token);
+
+		return this.emailService.sendEmail({
+			to: user.profile.email,
+			subject: '[StockedUp] Password reset request',
+			text: content.toString(),
+		});
+	}
+
+	private async validateIfCanSendEmail(userId: Types.ObjectId, token: string): Promise<boolean> {
+		const lastRetry = await this.usersTokenService.getLastRetry(userId, token);
+		if (lastRetry) {
+			const minutesDiff = differenceInMinutes(new Date(), lastRetry);
+			if (minutesDiff < 10) {
+				throw new BadRequestException(
+					'The confirmation email was sent recently, please check your inbox',
+				);
+			}
+		}
+		return true;
+	}
+
+	private hashPassword(input: string): Promise<string> {
+		return bcrypt.hash(input, 12);
+	}
 }

apps/api/src/auth/dto/reset-password.dto.ts

@@ -0,0 +1,13 @@
+import { IsMongoId, IsString, Length } from 'class-validator';
+import { IResetPasswordDto } from 'shared-types';
+
+export class ResetPasswordDto implements IResetPasswordDto {
+	@IsMongoId()
+	user: string;
+
+	@IsString()
+	token: string;
+
+	@Length(4, 32)
+	public password: string;
+}

apps/api/src/auth/templates/password-reset.template.ts

@@ -0,0 +1,29 @@
+import { Types } from 'mongoose';
+import { EmailTemplate } from '../../emails/types/email-template.type';
+import Utils from '../../helpers/utils';
+
+const BASE_URL = Utils.isProduction() ? 'https://stockedup.dokurno.dev/' : 'http://localhost:5173/';
+
+export class PasswordRestTemplate implements EmailTemplate {
+	constructor(
+		private readonly userId: Types.ObjectId,
+		private readonly token: string,
+	) {}
+
+	toString(): string {
+		const url = `${BASE_URL}reset-password?user=${this.userId.toString()}&token=${this.token}`;
+		return (
+			`Hello,` +
+			`\r\n` +
+			`We've received a request to reset the password for StockedUp account associated ` +
+			`with this e-mail address. No changes were made to your account yet.` +
+			`\r\n\r\n` +
+			`You can reset your password by clicking this link:` +
+			`\r\n` +
+			url +
+			`\r\n\r\n` +
+			`If you didn't request a password reset, you can safely ignore this e-mail. ` +
+			`No changes to your account will be made.`
+		);
+	}
+}

apps/api/src/auth/types/emailTokenTypes.ts

@@ -1,3 +1,4 @@
 const EMAIL_CONFIRM_TOKEN = 'EMAIL_CONFIRM_TOKEN';
+const PASSWORD_RESET_TOKEN = 'PASSWORD_RESET_TOKEN';
 
-export { EMAIL_CONFIRM_TOKEN };
+export { EMAIL_CONFIRM_TOKEN, PASSWORD_RESET_TOKEN };

apps/api/src/emails/emails.service.ts

@@ -9,7 +9,6 @@ const EMAIL_FOOTER = `
 
 Thanks,
 StockedUp Team
-
 ---
 This is automated message sent by StockedUp. Please do not reply to this email.
 If you received this email by mistake or believe it is a spam, please forward it to [email protected]`;

apps/api/src/models/users/users.service.ts

@@ -71,6 +71,10 @@ export class UsersService {
 		});
 	}
 
+	findByEmail(email: string): Promise<UserDocument | undefined> {
+		return this.userRepository.findOne({ 'profile.email': email });
+	}
+
 	find(entityFilterQuery: FilterQuery<UserDocument>): Promise<UserDocument[]> {
 		return this.userRepository.find(entityFilterQuery);
 	}

packages/shared-types/src/auth/IResetPasswordDto.ts

@@ -0,0 +1,5 @@
+export interface IResetPasswordDto {
+    user: string;
+    token: string;
+    password: string;
+}

packages/shared-types/src/index.ts

@@ -1,6 +1,7 @@
 import { IImageDto } from './ImageDto';
 import { OrganizationSecurityRole } from './OrganizationSecurityRole';
 import { SimpleResponseDto } from './SimpleResponseDto';
+import { IResetPasswordDto } from './auth/IResetPasswordDto';
 import { IUserRegisterDto } from './auth/IUserRegisterDto';
 import { UserLoginDto } from './auth/UserLoginDto';
 import { BasicInventoryItemDto } from './inventory/BasicInventoryItemDto';
@@ -65,6 +66,7 @@ export {
     SortDirection,
     UserDto,
     UserLoginDto,
-    WarehouseDto
+    WarehouseDto,
+    IResetPasswordDto
 };