overleaf/services/web/app/coffee/Features/PasswordReset/PasswordResetHandler.coffee

settings = require("settings-sharelatex")
async = require("async")
UserGetter = require("../User/UserGetter")
OneTimeTokenHandler = require("../Security/OneTimeTokenHandler")
EmailHandler = require("../Email/EmailHandler")
AuthenticationManager = require("../Authentication/AuthenticationManager")
logger = require("logger-sharelatex")
V1Api = require("../V1/V1Api")

module.exports = PasswordResetHandler =

	generateAndEmailResetToken:(email, callback = (error, exists) ->)->
		PasswordResetHandler._getPasswordResetData email, (error, exists, data) ->
			if error? or !exists
				return callback(error, exists) 
			OneTimeTokenHandler.getNewToken 'password', data, (err, token)->
				if err then return callback(err)
				emailOptions =
					to : email
					setNewPasswordUrl : "#{settings.siteUrl}/user/password/set?passwordResetToken=#{token}&email=#{encodeURIComponent(email)}"
				EmailHandler.sendEmail "passwordResetRequested", emailOptions, (error) ->
					return callback(error) if error?
					callback null, true

	setNewUserPassword: (token, password, callback = (error, found, user_id) ->)->
		OneTimeTokenHandler.getValueFromTokenAndExpire 'password', token, (err, data)->
			if err then return callback(err)
			if !data?
				return callback null, false, null
			if typeof data == "string"
				# Backwards compatible with old format.
				# Tokens expire after 1h, so this can be removed soon after deploy.
				# Possibly we should keep this until we do an onsite release too.
				data = { user_id: data } 
			if data.user_id?
				AuthenticationManager.setUserPassword data.user_id, password, (err, reset) ->
					if err then return callback(err)
					callback null, reset, data.user_id
			else if data.v1_user_id?
				AuthenticationManager.setUserPasswordInV1 data.v1_user_id, password, (error, reset) ->
					return callback(error) if error?
					UserGetter.getUser { 'overleaf.id': data.v1_user_id }, {_id:1}, (error, user) ->
						return callback(error) if error?
						callback null, reset, user?._id

	_getPasswordResetData: (email, callback = (error, exists, data) ->) ->
		if settings.overleaf?
			# Overleaf v2
			V1Api.request {
				url: "/api/v1/sharelatex/user_emails"
				qs:
					email: email
				expectedStatusCodes: [404]
			}, (error, response, body) ->
				return callback(error) if error?
				if response.statusCode == 404
					return callback null, false
				else
					return callback null, true, { v1_user_id: body.user_id }
		else
			# ShareLaTeX
			UserGetter.getUserByMainEmail email, (err, user)->
				if err then return callback(err)
				if !user? or user.holdingAccount or user.overleaf?
					logger.err email:email, "user could not be found for password reset"
					return callback(null, false)
				return callback null, true, { user_id: user._id }
written password reset handler 2014-05-15 11:20:23 -04:00			`settings = require("settings-sharelatex")`
			`async = require("async")`
			`UserGetter = require("../User/UserGetter")`
fix Onetime token handler path 2015-05-27 10:06:36 -04:00			`OneTimeTokenHandler = require("../Security/OneTimeTokenHandler")`
written password reset handler 2014-05-15 11:20:23 -04:00			`EmailHandler = require("../Email/EmailHandler")`
			`AuthenticationManager = require("../Authentication/AuthenticationManager")`
added some logging 2014-05-15 13:08:21 -04:00			`logger = require("logger-sharelatex")`
Merge pull request #1273 from sharelatex/ja-password-reset-v1 Handle v1-only users in v2 password reset flow GitOrigin-RevId: 38ce8e9aebd3330b980e73640a23661d8015d4f3 2018-12-18 06:14:41 -05:00			`V1Api = require("../V1/V1Api")`
written password reset handler 2014-05-15 11:20:23 -04:00
Merge pull request #1273 from sharelatex/ja-password-reset-v1 Handle v1-only users in v2 password reset flow GitOrigin-RevId: 38ce8e9aebd3330b980e73640a23661d8015d4f3 2018-12-18 06:14:41 -05:00			`module.exports = PasswordResetHandler =`
written password reset handler 2014-05-15 11:20:23 -04:00
Don't error on password reset if no email found, and translate error messages 2014-08-08 06:41:54 -04:00			`generateAndEmailResetToken:(email, callback = (error, exists) ->)->`
Merge pull request #1273 from sharelatex/ja-password-reset-v1 Handle v1-only users in v2 password reset flow GitOrigin-RevId: 38ce8e9aebd3330b980e73640a23661d8015d4f3 2018-12-18 06:14:41 -05:00			`PasswordResetHandler._getPasswordResetData email, (error, exists, data) ->`
			`if error? or !exists`
			`return callback(error, exists)`
			`OneTimeTokenHandler.getNewToken 'password', data, (err, token)->`
written password reset controller 2014-05-15 11:50:38 -04:00			`if err then return callback(err)`
			`emailOptions =`
			`to : email`
added complex password validation to password resets 2015-04-30 06:59:44 -04:00			`setNewPasswordUrl : "#{settings.siteUrl}/user/password/set?passwordResetToken=#{token}&email=#{encodeURIComponent(email)}"`
Don't error on password reset if no email found, and translate error messages 2014-08-08 06:41:54 -04:00			`EmailHandler.sendEmail "passwordResetRequested", emailOptions, (error) ->`
			`return callback(error) if error?`
			`callback null, true`
written password reset handler 2014-05-15 11:20:23 -04:00
Improve pre-registered account activation process 2015-12-11 06:30:06 -05:00			`setNewUserPassword: (token, password, callback = (error, found, user_id) ->)->`
Merge pull request #1273 from sharelatex/ja-password-reset-v1 Handle v1-only users in v2 password reset flow GitOrigin-RevId: 38ce8e9aebd3330b980e73640a23661d8015d4f3 2018-12-18 06:14:41 -05:00			`OneTimeTokenHandler.getValueFromTokenAndExpire 'password', token, (err, data)->`
written password reset handler 2014-05-15 11:20:23 -04:00			`if err then return callback(err)`
Merge pull request #1273 from sharelatex/ja-password-reset-v1 Handle v1-only users in v2 password reset flow GitOrigin-RevId: 38ce8e9aebd3330b980e73640a23661d8015d4f3 2018-12-18 06:14:41 -05:00			`if !data?`
Improve pre-registered account activation process 2015-12-11 06:30:06 -05:00			`return callback null, false, null`
Merge pull request #1273 from sharelatex/ja-password-reset-v1 Handle v1-only users in v2 password reset flow GitOrigin-RevId: 38ce8e9aebd3330b980e73640a23661d8015d4f3 2018-12-18 06:14:41 -05:00			`if typeof data == "string"`
			`# Backwards compatible with old format.`
			`# Tokens expire after 1h, so this can be removed soon after deploy.`
			`# Possibly we should keep this until we do an onsite release too.`
			`data = { user_id: data }`
			`if data.user_id?`
			`AuthenticationManager.setUserPassword data.user_id, password, (err, reset) ->`
			`if err then return callback(err)`
			`callback null, reset, data.user_id`
			`else if data.v1_user_id?`
			`AuthenticationManager.setUserPasswordInV1 data.v1_user_id, password, (error, reset) ->`
			`return callback(error) if error?`
			`UserGetter.getUser { 'overleaf.id': data.v1_user_id }, {_id:1}, (error, user) ->`
			`return callback(error) if error?`
			`callback null, reset, user?._id`

			`_getPasswordResetData: (email, callback = (error, exists, data) ->) ->`
			`if settings.overleaf?`
			`# Overleaf v2`
			`V1Api.request {`
			`url: "/api/v1/sharelatex/user_emails"`
			`qs:`
			`email: email`
			`expectedStatusCodes: [404]`
			`}, (error, response, body) ->`
			`return callback(error) if error?`
			`if response.statusCode == 404`
			`return callback null, false`
			`else`
			`return callback null, true, { v1_user_id: body.user_id }`
			`else`
			`# ShareLaTeX`
			`UserGetter.getUserByMainEmail email, (err, user)->`
Show password reset expired message rather than server error if that's what has happened 2014-10-08 12:18:24 -04:00			`if err then return callback(err)`
Merge pull request #1273 from sharelatex/ja-password-reset-v1 Handle v1-only users in v2 password reset flow GitOrigin-RevId: 38ce8e9aebd3330b980e73640a23661d8015d4f3 2018-12-18 06:14:41 -05:00			`if !user? or user.holdingAccount or user.overleaf?`
			`logger.err email:email, "user could not be found for password reset"`
			`return callback(null, false)`
			`return callback null, true, { user_id: user._id }`