overleaf/services/web/app/src/Features/PasswordReset/PasswordResetController.js

const PasswordResetHandler = require('./PasswordResetHandler')
const RateLimiter = require('../../infrastructure/RateLimiter')
const AuthenticationController = require('../Authentication/AuthenticationController')
const UserGetter = require('../User/UserGetter')
const UserUpdater = require('../User/UserUpdater')
const UserSessionsManager = require('../User/UserSessionsManager')
const OError = require('@overleaf/o-error')
const EmailsHelper = require('../Helpers/EmailHelper')
const { expressify } = require('../../util/promises')

async function setNewUserPassword(req, res, next) {
  let user
  let { passwordResetToken, password } = req.body
  if (!passwordResetToken || !password) {
    return res.sendStatus(400)
  }
  passwordResetToken = passwordResetToken.trim()
  delete req.session.resetToken

  const initiatorId = AuthenticationController.getLoggedInUserId(req)
  // password reset via tokens can be done while logged in, or not
  const auditLog = {
    initiatorId,
    ip: req.ip
  }

  try {
    const result = await PasswordResetHandler.promises.setNewUserPassword(
      passwordResetToken,
      password,
      auditLog
    )
    let { found, reset, userId } = result
    if (!found) return res.sendStatus(404)
    if (!reset) return res.sendStatus(500)
    await UserSessionsManager.promises.revokeAllUserSessions(
      { _id: userId },
      []
    )
    await UserUpdater.promises.removeReconfirmFlag(userId)
    if (!req.session.doLoginAfterPasswordReset) {
      return res.sendStatus(200)
    }
    user = await UserGetter.promises.getUser(userId)
  } catch (error) {
    if (error.name === 'NotFoundError') {
      return res.sendStatus(404)
    } else if (error.name === 'InvalidPasswordError') {
      return res.sendStatus(400)
    } else {
      return res.sendStatus(500)
    }
  }

  AuthenticationController.finishLogin(user, req, res, next)
}

module.exports = {
  renderRequestResetForm(req, res) {
    res.render('user/passwordReset', { title: 'reset_password' })
  },

  requestReset(req, res, next) {
    const email = req.body.email.trim().toLowerCase()
    const opts = {
      endpointName: 'password_reset_rate_limit',
      timeInterval: 60,
      subjectName: req.ip,
      throttle: 6
    }
    RateLimiter.addCount(opts, (err, canContinue) => {
      if (err != null) {
        return next(
          new OError('rate-limit password reset failed').withCause(err)
        )
      }
      if (!canContinue) {
        return res.status(429).send({
          message: req.i18n.translate('rate_limit_hit_wait')
        })
      }
      PasswordResetHandler.generateAndEmailResetToken(email, (err, status) => {
        if (err != null) {
          OError.tag(err, 'failed to generate and email password reset token', {
            email
          })
          next(err)
        } else if (status === 'primary') {
          res.status(200).send({
            message: { text: req.i18n.translate('password_reset_email_sent') }
          })
        } else if (status === 'secondary') {
          res.status(404).send({
            message: req.i18n.translate('secondary_email_password_reset')
          })
        } else {
          res.status(404).send({
            message: req.i18n.translate('cant_find_email')
          })
        }
      })
    })
  },

  renderSetPasswordForm(req, res) {
    if (req.query.passwordResetToken != null) {
      req.session.resetToken = req.query.passwordResetToken
      let emailQuery = ''
      if (typeof req.query.email === 'string') {
        const email = EmailsHelper.parseEmail(req.query.email)
        if (email) {
          emailQuery = `?email=${encodeURIComponent(email)}`
        }
      }
      return res.redirect('/user/password/set' + emailQuery)
    }
    if (req.session.resetToken == null) {
      return res.redirect('/user/password/reset')
    }
    res.render('user/setPassword', {
      title: 'set_password',
      passwordResetToken: req.session.resetToken
    })
  },

  setNewUserPassword: expressify(setNewUserPassword)
}
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`const PasswordResetHandler = require('./PasswordResetHandler')`
			`const RateLimiter = require('../../infrastructure/RateLimiter')`
			`const AuthenticationController = require('../Authentication/AuthenticationController')`
			`const UserGetter = require('../User/UserGetter')`
			`const UserUpdater = require('../User/UserUpdater')`
			`const UserSessionsManager = require('../User/UserSessionsManager')`
Merge pull request #3231 from overleaf/jpa-hide-internal-error-messages [misc] PasswordResetController: do not expose internal error messages GitOrigin-RevId: 9eca5e7f5367559d5340363ef859589e218e817f 2020-09-28 06:51:57 -04:00			`const OError = require('@overleaf/o-error')`
Merge pull request #3824 from overleaf/jpa-password-reset-email-forwarding [misc] fix passing around of users email as part of password reset GitOrigin-RevId: 54e8cde9867a2ce735bc7ebe281ead19ef49e6cd 2021-03-31 05:35:29 -04:00			`const EmailsHelper = require('../Helpers/EmailHelper')`
Merge pull request #3078 from overleaf/jel-log-password-reset-by-token Update audit log when password reset by token GitOrigin-RevId: 2ae7f59c5cdf2723e541a99c58c36564cc82adbf 2020-08-13 09:42:28 -04:00			`const { expressify } = require('../../util/promises')`

			`async function setNewUserPassword(req, res, next) {`
			`let user`
			`let { passwordResetToken, password } = req.body`
			`if (!passwordResetToken \|\| !password) {`
			`return res.sendStatus(400)`
			`}`
			`passwordResetToken = passwordResetToken.trim()`
			`delete req.session.resetToken`

			`const initiatorId = AuthenticationController.getLoggedInUserId(req)`
			`// password reset via tokens can be done while logged in, or not`
			`const auditLog = {`
			`initiatorId,`
			`ip: req.ip`
			`}`

			`try {`
			`const result = await PasswordResetHandler.promises.setNewUserPassword(`
			`passwordResetToken,`
			`password,`
			`auditLog`
			`)`
			`let { found, reset, userId } = result`
			`if (!found) return res.sendStatus(404)`
			`if (!reset) return res.sendStatus(500)`
			`await UserSessionsManager.promises.revokeAllUserSessions(`
			`{ _id: userId },`
			`[]`
			`)`
			`await UserUpdater.promises.removeReconfirmFlag(userId)`
			`if (!req.session.doLoginAfterPasswordReset) {`
			`return res.sendStatus(200)`
			`}`
			`user = await UserGetter.promises.getUser(userId)`
			`} catch (error) {`
			`if (error.name === 'NotFoundError') {`
			`return res.sendStatus(404)`
			`} else if (error.name === 'InvalidPasswordError') {`
			`return res.sendStatus(400)`
			`} else {`
			`return res.sendStatus(500)`
			`}`
			`}`

			`AuthenticationController.finishLogin(user, req, res, next)`
			`}`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00
			`module.exports = {`
			`renderRequestResetForm(req, res) {`
Merge pull request #1944 from overleaf/em-password-reset Store the email address in the password reset token data GitOrigin-RevId: 9aa2eaff49de9ac88258cb996202934dab71cc0a 2019-07-04 08:40:12 -04:00			`res.render('user/passwordReset', { title: 'reset_password' })`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`},`

Merge pull request #1944 from overleaf/em-password-reset Store the email address in the password reset token data GitOrigin-RevId: 9aa2eaff49de9ac88258cb996202934dab71cc0a 2019-07-04 08:40:12 -04:00			`requestReset(req, res, next) {`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`const email = req.body.email.trim().toLowerCase()`
			`const opts = {`
			`endpointName: 'password_reset_rate_limit',`
			`timeInterval: 60,`
			`subjectName: req.ip,`
			`throttle: 6`
			`}`
remove v1 deps for password change/reset GitOrigin-RevId: be25f19ae589c50bfde0b170860127fa8d6f63b7 2019-06-14 12:31:46 -04:00			`RateLimiter.addCount(opts, (err, canContinue) => {`
Merge pull request #1944 from overleaf/em-password-reset Store the email address in the password reset token data GitOrigin-RevId: 9aa2eaff49de9ac88258cb996202934dab71cc0a 2019-07-04 08:40:12 -04:00			`if (err != null) {`
Merge pull request #3231 from overleaf/jpa-hide-internal-error-messages [misc] PasswordResetController: do not expose internal error messages GitOrigin-RevId: 9eca5e7f5367559d5340363ef859589e218e817f 2020-09-28 06:51:57 -04:00			`return next(`
			`new OError('rate-limit password reset failed').withCause(err)`
			`)`
Merge pull request #1944 from overleaf/em-password-reset Store the email address in the password reset token data GitOrigin-RevId: 9aa2eaff49de9ac88258cb996202934dab71cc0a 2019-07-04 08:40:12 -04:00			`}`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`if (!canContinue) {`
Merge pull request #2746 from overleaf/ew-jpa-fix-deprecated-express-methods [misc] fix express deprecations GitOrigin-RevId: 78c730578c6a671f142837c98f98d5fd260332a5 2020-05-06 06:02:16 -04:00			`return res.status(429).send({`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`message: req.i18n.translate('rate_limit_hit_wait')`
			`})`
			`}`
remove v1 deps for password change/reset GitOrigin-RevId: be25f19ae589c50bfde0b170860127fa8d6f63b7 2019-06-14 12:31:46 -04:00			`PasswordResetHandler.generateAndEmailResetToken(email, (err, status) => {`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`if (err != null) {`
Merge pull request #3231 from overleaf/jpa-hide-internal-error-messages [misc] PasswordResetController: do not expose internal error messages GitOrigin-RevId: 9eca5e7f5367559d5340363ef859589e218e817f 2020-09-28 06:51:57 -04:00			`OError.tag(err, 'failed to generate and email password reset token', {`
			`email`
			`})`
			`next(err)`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`} else if (status === 'primary') {`
Merge pull request #2746 from overleaf/ew-jpa-fix-deprecated-express-methods [misc] fix express deprecations GitOrigin-RevId: 78c730578c6a671f142837c98f98d5fd260332a5 2020-05-06 06:02:16 -04:00			`res.status(200).send({`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`message: { text: req.i18n.translate('password_reset_email_sent') }`
			`})`
			`} else if (status === 'secondary') {`
Merge pull request #2746 from overleaf/ew-jpa-fix-deprecated-express-methods [misc] fix express deprecations GitOrigin-RevId: 78c730578c6a671f142837c98f98d5fd260332a5 2020-05-06 06:02:16 -04:00			`res.status(404).send({`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`message: req.i18n.translate('secondary_email_password_reset')`
			`})`
			`} else {`
Merge pull request #2746 from overleaf/ew-jpa-fix-deprecated-express-methods [misc] fix express deprecations GitOrigin-RevId: 78c730578c6a671f142837c98f98d5fd260332a5 2020-05-06 06:02:16 -04:00			`res.status(404).send({`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`message: req.i18n.translate('cant_find_email')`
			`})`
			`}`
			`})`
			`})`
			`},`

			`renderSetPasswordForm(req, res) {`
			`if (req.query.passwordResetToken != null) {`
			`req.session.resetToken = req.query.passwordResetToken`
Merge pull request #3824 from overleaf/jpa-password-reset-email-forwarding [misc] fix passing around of users email as part of password reset GitOrigin-RevId: 54e8cde9867a2ce735bc7ebe281ead19ef49e6cd 2021-03-31 05:35:29 -04:00			`let emailQuery = ''`
			`if (typeof req.query.email === 'string') {`
			`const email = EmailsHelper.parseEmail(req.query.email)`
			`if (email) {`
			emailQuery = `?email=${encodeURIComponent(email)}`
			`}`
			`}`
			`return res.redirect('/user/password/set' + emailQuery)`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`}`
			`if (req.session.resetToken == null) {`
			`return res.redirect('/user/password/reset')`
			`}`
Merge pull request #1944 from overleaf/em-password-reset Store the email address in the password reset token data GitOrigin-RevId: 9aa2eaff49de9ac88258cb996202934dab71cc0a 2019-07-04 08:40:12 -04:00			`res.render('user/setPassword', {`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`title: 'set_password',`
			`passwordResetToken: req.session.resetToken`
			`})`
			`},`

Merge pull request #3078 from overleaf/jel-log-password-reset-by-token Update audit log when password reset by token GitOrigin-RevId: 2ae7f59c5cdf2723e541a99c58c36564cc82adbf 2020-08-13 09:42:28 -04:00			`setNewUserPassword: expressify(setNewUserPassword)`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`}`