reset password API complete

2025-03-19 12:40:03 +01:00 · 2024-03-25 15:39:04 +01:00 · 2024-03-25 15:39:04 +01:00 · dbdc9f78c5
commit dbdc9f78c5
parent c06869d3b4
3 changed files with 68 additions and 12 deletions
--- a/backend/apis/nodejs/src/models/person_model.js
+++ b/backend/apis/nodejs/src/models/person_model.js
@ -139,7 +139,7 @@ async function remove(personId) {

 async function confirmActivation(personId) {
  await knex.transaction(async (tr) => {
-    await knex('Person')
+    await tr('Person')
      .where('id', personId)
      .update({
        enabled: true
@ -149,7 +149,6 @@ async function confirmActivation(personId) {
      .where('person_id', personId)
      .del();
  });
-
 }

 // Exporting a function
--- a/backend/apis/nodejs/src/models/reset_password_model.js
+++ b/backend/apis/nodejs/src/models/reset_password_model.js
@ -13,14 +13,47 @@

 const knex = require('../utils/knex_config');

-async function add(email, secret){
+async function add(email, secret) {
    await knex('RequestResetPassword')
-    .insert({
-        email,
+        .insert({
+            email,
+            secret
+        });
+}
+
+async function findBySecret(secret) {
+    return await knex('RequestResetPassword').where({
        secret
+    }).first();
+}
+
+/**
+ * Given a secret and a new password, update the Peron's personal password
+ *
+ * @param {*} password The new (hashed) password
+ * @param {*} secret The secret received via e-mail (table RequestResetPassword)
+ * @returns 
+ */
+async function resetPassword(password, secret) {
+    const request = await findBySecret(secret);
+    if (!request) {
+        return;
+    }
+    await knex.transaction(async tr => {
+        await tr('Person').where({
+            email: request.email
+        }).update({
+            password
+        });
+
+        await tr('RequestResetPassword').where({
+            email
+        }).del();
    });
 }

 module.exports = {
-    add
+    add,
+    findBySecret,
+    resetPassword
 }
--- a/backend/apis/nodejs/src/routes/reset_password_routes.js
+++ b/backend/apis/nodejs/src/routes/reset_password_routes.js
@ -13,21 +13,22 @@

 const Person = require('../models/person_model');
 const mailUtils = require('../utils/mail_utils');
-const RequestResetPassword = require('../models/reset_password_model');
+const ResetPassword = require('../models/reset_password_model');
 const crypto = require('crypto');
 const express = require('express');
+const bcrypt = require('bcrypt');

 async function add(req, res) {
    try {
        const userExists = await Person.findByEmail(req.body.email);
        // If the user does not exist, do not inform them of the absence
-        // of the user
        if (userExists) {
            const secret = crypto.randomBytes(16).toString('hex');
-            await RequestResetPassword.add(req.body.email, secret);
-            mailUtils.sendMail(req.body.email, 'Blink Reset Password', secret, null);
+            await ResetPassword.add(req.body.email, secret);
+            const body = `Click on this link: ...${secret} to reset your Blink password. If you did not ask for such a change, simply ignore this e-mail.`;
+            mailUtils.sendMail(req.body.email, 'Blink Reset Password', body, null);
        }
-        return res.status(204).send();
+        res.status(204).send();
    } catch (error) {
        console.error(`Error in function ${registerPerson.name}: ${error}`);
        res.status(500).json({
@ -36,9 +37,32 @@ async function add(req, res) {
    }
 }

+async function reset(req, res) {
+    try {
+        const requester = await ResetPassword.findBySecret(req.body.secret);
+        if (requester) {
+            const diffMilliseconds = Date.now() - requester.time_of_request.getTime();
+            // Check whether the request was not performed more than 30 minutes ago
+            if(diffMilliseconds / (1000 * 60) <= 30){
+                const newPassword = await bcrypt.hash(req.body.password, 10);
+                ResetPassword.resetPassword(newPassword, req.body.secret);
+                return res.status(204).send();
+            }
+        }
+        return res.status(400).send("Request either invalid or expired");
+        
+    } catch (error) {
+        console.error(`Error in function ${reset.name}: ${error}`);
+        res.status(500).json({
+            error: 'Internal server error'
+        });
+    }
+}
+
 const routes = express.Router();
 routes.post('/request', add);
+routes.post('/reset', reset);

 module.exports = {
-  routes
+    routes
 };