planka/server/api/controllers/users/update-password.js

/*!
 * Copyright (c) 2024 PLANKA Software GmbH
 * Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md
 */

const bcrypt = require('bcrypt');

const { isPassword } = require('../../../utils/validators');
const { idInput } = require('../../../utils/inputs');
const { getRemoteAddress } = require('../../../utils/remote-address');

const Errors = {
  NOT_ENOUGH_RIGHTS: {
    notEnoughRights: 'Not enough rights',
  },
  INVALID_CURRENT_PASSWORD: {
    invalidCurrentPassword: 'Invalid current password',
  },
  USER_NOT_FOUND: {
    userNotFound: 'User not found',
  },
};

module.exports = {
  inputs: {
    id: {
      ...idInput,
      required: true,
    },
    password: {
      type: 'string',
      maxLength: 256,
      custom: isPassword,
      required: true,
    },
    currentPassword: {
      type: 'string',
      isNotEmptyString: true,
      maxLength: 256,
    },
  },

  exits: {
    notEnoughRights: {
      responseType: 'forbidden',
    },
    invalidCurrentPassword: {
      responseType: 'forbidden',
    },
    userNotFound: {
      responseType: 'notFound',
    },
  },

  async fn(inputs) {
    const { currentSession, currentUser } = this.req;

    if (inputs.id === currentUser.id) {
      if (!inputs.currentPassword) {
        throw Errors.INVALID_CURRENT_PASSWORD;
      }
    } else if (currentUser.role !== User.Roles.ADMIN) {
      throw Errors.USER_NOT_FOUND; // Forbidden
    }

    let user = await User.qm.getOneById(inputs.id);

    if (!user) {
      throw Errors.USER_NOT_FOUND;
    }

    if (user.email === sails.config.custom.defaultAdminEmail || user.isSsoUser) {
      throw Errors.NOT_ENOUGH_RIGHTS;
    }

    if (inputs.id === currentUser.id) {
      const isCurrentPasswordValid = await bcrypt.compare(inputs.currentPassword, user.password);

      if (!isCurrentPasswordValid) {
        throw Errors.INVALID_CURRENT_PASSWORD;
      }
    }

    const values = _.pick(inputs, ['password']);

    user = await sails.helpers.users.updateOne.with({
      values,
      record: user,
      actorUser: currentUser,
      request: this.req,
    });

    if (!user) {
      throw Errors.USER_NOT_FOUND;
    }

    if (user.id === currentUser.id) {
      const { token: accessToken } = sails.helpers.utils.createJwtToken(
        user.id,
        user.passwordChangedAt,
      );

      await Session.qm.createOne({
        accessToken,
        httpOnlyToken: currentSession.httpOnlyToken,
        userId: user.id,
        remoteAddress: getRemoteAddress(this.req),
        userAgent: this.req.headers['user-agent'],
      });

      return {
        item: sails.helpers.users.presentOne(user, currentUser),
        included: {
          accessTokens: [accessToken],
        },
      };
    }

    return {
      item: sails.helpers.users.presentOne(user, currentUser),
    };
  },
};
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`/*!`
			`* Copyright (c) 2024 PLANKA Software GmbH`
			`* Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md`
			`*/`

Add email and password change functionality for a current user, remove deep compare hooks 2019-10-18 08:06:34 +05:00			`const bcrypt = require('bcrypt');`

feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`const { isPassword } = require('../../../utils/validators');`
			`const { idInput } = require('../../../utils/inputs');`
			`const { getRemoteAddress } = require('../../../utils/remote-address');`
feat: Invalidate access token on logout 2022-09-07 18:39:33 +05:00
Add email and password change functionality for a current user, remove deep compare hooks 2019-10-18 08:06:34 +05:00			`const Errors = {`
fix: OIDC finalization and refactoring 2023-10-17 19:18:19 +02:00			`NOT_ENOUGH_RIGHTS: {`
			`notEnoughRights: 'Not enough rights',`
			`},`
Add username to user 2020-04-03 00:35:25 +05:00			`INVALID_CURRENT_PASSWORD: {`
			`invalidCurrentPassword: 'Invalid current password',`
Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`},`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`USER_NOT_FOUND: {`
			`userNotFound: 'User not found',`
			`},`
Add email and password change functionality for a current user, remove deep compare hooks 2019-10-18 08:06:34 +05:00			`};`

			`module.exports = {`
			`inputs: {`
			`id: {`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`...idInput,`
Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`required: true,`
Add email and password change functionality for a current user, remove deep compare hooks 2019-10-18 08:06:34 +05:00			`},`
			`password: {`
			`type: 'string',`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`maxLength: 256,`
			`custom: isPassword,`
Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`required: true,`
Add email and password change functionality for a current user, remove deep compare hooks 2019-10-18 08:06:34 +05:00			`},`
			`currentPassword: {`
			`type: 'string',`
Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`isNotEmptyString: true,`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`maxLength: 256,`
Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`},`
Add email and password change functionality for a current user, remove deep compare hooks 2019-10-18 08:06:34 +05:00			`},`

			`exits: {`
fix: OIDC finalization and refactoring 2023-10-17 19:18:19 +02:00			`notEnoughRights: {`
			`responseType: 'forbidden',`
			`},`
Add username to user 2020-04-03 00:35:25 +05:00			`invalidCurrentPassword: {`
Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`responseType: 'forbidden',`
			`},`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`userNotFound: {`
			`responseType: 'notFound',`
			`},`
Add email and password change functionality for a current user, remove deep compare hooks 2019-10-18 08:06:34 +05:00			`},`

Project managers, board members, auto-update after reconnection, refactoring 2021-06-24 01:05:22 +05:00			`async fn(inputs) {`
feat: Additional httpOnly token for enhanced security in browsers 2024-09-01 09:31:04 +02:00			`const { currentSession, currentUser } = this.req;`
Add email and password change functionality for a current user, remove deep compare hooks 2019-10-18 08:06:34 +05:00
			`if (inputs.id === currentUser.id) {`
			`if (!inputs.currentPassword) {`
Add username to user 2020-04-03 00:35:25 +05:00			`throw Errors.INVALID_CURRENT_PASSWORD;`
Add email and password change functionality for a current user, remove deep compare hooks 2019-10-18 08:06:34 +05:00			`}`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`} else if (currentUser.role !== User.Roles.ADMIN) {`
Add email and password change functionality for a current user, remove deep compare hooks 2019-10-18 08:06:34 +05:00			`throw Errors.USER_NOT_FOUND; // Forbidden`
			`}`

feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`let user = await User.qm.getOneById(inputs.id);`
Add email and password change functionality for a current user, remove deep compare hooks 2019-10-18 08:06:34 +05:00
			`if (!user) {`
			`throw Errors.USER_NOT_FOUND;`
			`}`

feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`if (user.email === sails.config.custom.defaultAdminEmail \|\| user.isSsoUser) {`
fix: OIDC finalization and refactoring 2023-10-17 19:18:19 +02:00			`throw Errors.NOT_ENOUGH_RIGHTS;`
feat: Use environment variables for default admin configuration 2023-09-12 01:12:38 +02:00			`}`

feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`if (inputs.id === currentUser.id) {`
			`const isCurrentPasswordValid = await bcrypt.compare(inputs.currentPassword, user.password);`

			`if (!isCurrentPasswordValid) {`
			`throw Errors.INVALID_CURRENT_PASSWORD;`
			`}`
Add email and password change functionality for a current user, remove deep compare hooks 2019-10-18 08:06:34 +05:00			`}`

			`const values = _.pick(inputs, ['password']);`
ref: Remove board types, refactoring 2022-12-26 21:10:50 +01:00
			`user = await sails.helpers.users.updateOne.with({`
			`values,`
			`record: user,`
feat: Webhooks configuration, all events support, refactoring 2024-06-12 00:51:36 +02:00			`actorUser: currentUser,`
ref: Remove board types, refactoring 2022-12-26 21:10:50 +01:00			`request: this.req,`
			`});`
Add email and password change functionality for a current user, remove deep compare hooks 2019-10-18 08:06:34 +05:00
			`if (!user) {`
			`throw Errors.USER_NOT_FOUND;`
			`}`

feat: Improve security of access tokens (#279) Closes #275 2022-08-09 18:03:21 +02:00			`if (user.id === currentUser.id) {`
feat: Additional httpOnly token for enhanced security in browsers 2024-09-01 09:31:04 +02:00			`const { token: accessToken } = sails.helpers.utils.createJwtToken(`
			`user.id,`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`user.passwordChangedAt,`
feat: Additional httpOnly token for enhanced security in browsers 2024-09-01 09:31:04 +02:00			`);`
feat: Improve security of access tokens (#279) Closes #275 2022-08-09 18:03:21 +02:00
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`await Session.qm.createOne({`
feat: Invalidate access token on logout 2022-09-07 18:39:33 +05:00			`accessToken,`
feat: Additional httpOnly token for enhanced security in browsers 2024-09-01 09:31:04 +02:00			`httpOnlyToken: currentSession.httpOnlyToken,`
feat: Invalidate access token on logout 2022-09-07 18:39:33 +05:00			`userId: user.id,`
			`remoteAddress: getRemoteAddress(this.req),`
			`userAgent: this.req.headers['user-agent'],`
			`});`

feat: Improve security of access tokens (#279) Closes #275 2022-08-09 18:03:21 +02:00			`return {`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`item: sails.helpers.users.presentOne(user, currentUser),`
ref: Little change for consistency 2022-08-09 22:31:43 +02:00			`included: {`
			`accessTokens: [accessToken],`
			`},`
feat: Improve security of access tokens (#279) Closes #275 2022-08-09 18:03:21 +02:00			`};`
			`}`

Project managers, board members, auto-update after reconnection, refactoring 2021-06-24 01:05:22 +05:00			`return {`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`item: sails.helpers.users.presentOne(user, currentUser),`
Project managers, board members, auto-update after reconnection, refactoring 2021-06-24 01:05:22 +05:00			`};`
Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`},`
Add email and password change functionality for a current user, remove deep compare hooks 2019-10-18 08:06:34 +05:00			`};`