feat(backend): forgot password (#250)

* feat(backend): forgot password

* feat: apply feedback from code review

* chore(auth): validate the minimum length of 'newPassword'

* chore(auth): make token has an expiry of 1 hour

* chore: rename all occurrences of 'code' to 'token'

* chore(backend): provide value on nanoIdGen method

apps/server/src/core/auth/auth.controller.ts

@@ -19,6 +19,7 @@ import { AuthUser } from '../../common/decorators/auth-user.decorator';
 import { User, Workspace } from '@docmost/db/types/entity.types';
 import { AuthWorkspace } from '../../common/decorators/auth-workspace.decorator';
 import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
+import { ForgotPasswordDto } from './dto/forgot-password.dto';
 
 @Controller('auth')
 export class AuthController {
@@ -33,6 +34,18 @@ export class AuthController {
     return this.authService.login(loginInput, req.raw.workspaceId);
   }
 
+  @HttpCode(HttpStatus.OK)
+  @Post('forgot-password')
+  async forgotPassword(
+    @Req() req,
+    @Body() forgotPasswordDto: ForgotPasswordDto,
+  ) {
+    return this.authService.forgotPassword(
+      forgotPasswordDto,
+      req.raw.workspaceId,
+    );
+  }
+
   /* @HttpCode(HttpStatus.OK)
   @Post('register')
   async register(@Req() req, @Body() createUserDto: CreateUserDto) {

apps/server/src/core/auth/dto/forgot-password.dto.ts

@@ -0,0 +1,16 @@
+import { IsEmail, IsNotEmpty, IsOptional, IsString, MinLength } from 'class-validator';
+
+export class ForgotPasswordDto {
+  @IsNotEmpty()
+  @IsEmail()
+  email: string;
+
+  @IsOptional()
+  @IsString()
+  token: string;
+
+  @IsOptional()
+  @IsString()
+  @MinLength(8)
+  newPassword: string;
+}

apps/server/src/core/auth/services/auth.service.ts

@@ -11,10 +11,13 @@ import { TokensDto } from '../dto/tokens.dto';
 import { SignupService } from './signup.service';
 import { CreateAdminUserDto } from '../dto/create-admin-user.dto';
 import { UserRepo } from '@docmost/db/repos/user/user.repo';
-import { comparePasswordHash, hashPassword } from '../../../common/helpers';
+import { comparePasswordHash, hashPassword, nanoIdGen } from '../../../common/helpers';
 import { ChangePasswordDto } from '../dto/change-password.dto';
 import { MailService } from '../../../integrations/mail/mail.service';
 import ChangePasswordEmail from '@docmost/transactional/emails/change-password-email';
+import { ForgotPasswordDto } from '../dto/forgot-password.dto';
+import ForgotPasswordEmail from '@docmost/transactional/emails/forgot-password-email';
+import { UserTokensRepo } from '@docmost/db/repos/user-tokens/user-tokens.repo';
 
 @Injectable()
 export class AuthService {
@@ -22,6 +25,7 @@ export class AuthService {
     private signupService: SignupService,
     private tokenService: TokenService,
     private userRepo: UserRepo,
+    private userTokensRepo: UserTokensRepo,
     private mailService: MailService,
   ) {}
 
@@ -46,6 +50,94 @@ export class AuthService {
     return { tokens };
   }
 
+  async forgotPassword(
+    forgotPasswordDto: ForgotPasswordDto,
+    workspaceId: string,
+  ) {
+    const user = await this.userRepo.findByEmail(
+      forgotPasswordDto.email,
+      workspaceId,
+      true,
+    );
+    if (!user) {
+      return;
+    }
+
+    if (
+      forgotPasswordDto.token == null ||
+      forgotPasswordDto.newPassword == null
+    ) {
+      // Generate 5-character user token
+      const code = nanoIdGen(5).toUpperCase();
+      const hashedToken = await hashPassword(code);
+      await this.userTokensRepo.insertUserToken({
+        token: hashedToken,
+        user_id: user.id,
+        workspace_id: user.workspaceId,
+        expires_at: new Date(new Date().getTime() + 3_600_000), // should expires in 1 hour
+        type: "forgot-password",
+      });
+
+      const emailTemplate = ForgotPasswordEmail({
+        username: user.name,
+        code: code,
+      });
+      await this.mailService.sendToQueue({
+        to: user.email,
+        subject: 'Reset your password',
+        template: emailTemplate,
+      });
+
+      return;
+    }
+
+    // Get all user tokens that are not expired
+    const userTokens = await this.userTokensRepo.findByUserId(
+      user.id,
+      user.workspaceId,
+      "forgot-password"
+    );
+    // Limit to the last 3 token, so we have a total time window of 15 minutes
+    const validUserTokens = userTokens
+      .filter((token) => token.expires_at > new Date() && token.used_at == null)
+      .slice(0, 3);
+
+    for (const token of validUserTokens) {
+      const validated = await comparePasswordHash(
+        forgotPasswordDto.token,
+        token.token,
+      );
+      if (validated) {
+        await Promise.all([
+          this.userTokensRepo.deleteUserToken(user.id, user.workspaceId, "forgot-password"),
+          this.userTokensRepo.deleteExpiredUserTokens(),
+        ]);
+
+        const newPasswordHash = await hashPassword(
+          forgotPasswordDto.newPassword,
+        );
+        await this.userRepo.updateUser(
+          {
+            password: newPasswordHash,
+          },
+          user.id,
+          workspaceId,
+        );
+
+        const emailTemplate = ChangePasswordEmail({ username: user.name });
+        await this.mailService.sendToQueue({
+          to: user.email,
+          subject: 'Your password has been changed',
+          template: emailTemplate,
+        });
+
+        return;
+      }
+    }
+
+    throw new BadRequestException('Incorrect code');
+  }
+
   async register(createUserDto: CreateUserDto, workspaceId: string) {
     const user = await this.signupService.signup(createUserDto, workspaceId);
 

apps/server/src/database/migrations/20240903T124647-user-tokens.ts

@@ -0,0 +1,27 @@
+import { sql, Kysely } from 'kysely';
+
+export async function up(db: Kysely<any>): Promise<void> {
+  await db.schema
+    .createTable('user_tokens')
+    .addColumn('id', 'uuid', (col) =>
+      col.primaryKey().defaultTo(sql`gen_uuid_v7()`),
+    )
+    .addColumn('token', 'varchar', (col) => col.notNull())
+    .addColumn('user_id', 'uuid', (col) =>
+      col.notNull().references('users.id').onDelete('cascade'),
+    )
+    .addColumn('workspace_id', 'uuid', (col) =>
+      col.references('workspaces.id').onDelete('cascade'),
+    )
+    .addColumn('type', 'varchar', (col) => col.notNull())
+    .addColumn('expires_at', 'timestamptz')
+    .addColumn('used_at', 'timestamptz', (col) => col)
+    .addColumn('created_at', 'timestamptz', (col) =>
+      col.notNull().defaultTo(sql`now()`),
+    )
+    .execute();
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await db.schema.dropTable('user_tokens').execute();
+}

apps/server/src/database/repos/user-tokens/user-tokens.repo.ts

@@ -0,0 +1,89 @@
+import {
+  InsertableUserToken,
+  UpdatableUserToken,
+} from '@docmost/db/types/entity.types';
+import { KyselyDB, KyselyTransaction } from '@docmost/db/types/kysely.types';
+import { dbOrTx } from '@docmost/db/utils';
+import { Injectable } from '@nestjs/common';
+import { InjectKysely } from 'nestjs-kysely';
+
+@Injectable()
+export class UserTokensRepo {
+  constructor(@InjectKysely() private readonly db: KyselyDB) {}
+
+  async insertUserToken(
+    insertableUserToken: InsertableUserToken,
+    trx?: KyselyTransaction,
+  ) {
+    const db = dbOrTx(this.db, trx);
+    return db
+      .insertInto('userTokens')
+      .values(insertableUserToken)
+      .returningAll()
+      .executeTakeFirst();
+  }
+
+  async findByUserId(
+    userId: string,
+    workspaceId: string,
+    tokenType: string,
+    trx?: KyselyTransaction,
+  ) {
+    const db = dbOrTx(this.db, trx);
+    return db
+      .selectFrom('userTokens')
+      .select([
+        'id',
+        'token',
+        'user_id',
+        'workspace_id',
+        'type',
+        'expires_at',
+        'used_at',
+        'created_at',
+      ])
+      .where('user_id', '=', userId)
+      .where('workspace_id', '=', workspaceId)
+      .where('type', '=', tokenType)
+      .orderBy('expires_at desc')
+      .execute();
+  }
+
+  async updateUserToken(
+    updatableUserToken: UpdatableUserToken,
+    userTokenId: string,
+    trx?: KyselyTransaction,
+  ) {
+    const db = dbOrTx(this.db, trx);
+    return db
+      .updateTable('userTokens')
+      .set({ ...updatableUserToken })
+      .where('id', '=', userTokenId)
+      .execute();
+  }
+
+  async deleteUserToken(
+    userId: string,
+    workspaceId: string,
+    tokenType: string,
+    trx?: KyselyTransaction,
+  ) {
+    const db = dbOrTx(this.db, trx);
+    return db
+      .deleteFrom('userTokens')
+      .where('user_id', '=', userId)
+      .where('workspace_id', '=', workspaceId)
+      .where('type', '=', tokenType)
+      .execute();
+  }
+
+  async deleteExpiredUserTokens(
+    trx?: KyselyTransaction,
+  ) {
+    const db = dbOrTx(this.db, trx);
+    return db
+      .deleteFrom('userTokens')
+      .where('expires_at', '<', new Date())
+      .execute(); 
+  }
+}

apps/server/src/database/types/db.d.ts

@@ -1,10 +1,15 @@
-import type { ColumnType } from "kysely";
+import type { ColumnType } from 'kysely';
 
-export type Generated<T> = T extends ColumnType<infer S, infer I, infer U>
+export type Generated<T> =
-  ? ColumnType<S, I | undefined, U>
+  T extends ColumnType<infer S, infer I, infer U>
-  : ColumnType<T, T | undefined, T>;
+    ? ColumnType<S, I | undefined, U>
+    : ColumnType<T, T | undefined, T>;
 
-export type Int8 = ColumnType<string, bigint | number | string, bigint | number | string>;
+export type Int8 = ColumnType<
+  string,
+  bigint | number | string,
+  bigint | number | string
+>;
 
 export type Json = JsonValue;
 
@@ -185,6 +190,17 @@ export interface Workspaces {
   updatedAt: Generated<Timestamp>;
 }
 
+export interface UserTokens {
+  id: Generated<string>;
+  token: string;
+  user_id: string;
+  workspace_id: string;
+  type: string;
+  expires_at: Timestamp | null;
+  used_at: Timestamp | null;
+  created_at: Generated<Timestamp>;
+}
+
 export interface DB {
   attachments: Attachments;
   comments: Comments;
@@ -197,4 +213,5 @@ export interface DB {
   users: Users;
   workspaceInvitations: WorkspaceInvitations;
   workspaces: Workspaces;
+  userTokens: UserTokens;
 }

apps/server/src/database/types/entity.types.ts

@@ -11,6 +11,7 @@ import {
   GroupUsers,
   SpaceMembers,
   WorkspaceInvitations,
+  UserTokens,
 } from './db';
 
 // Workspace
@@ -71,3 +72,8 @@ export type UpdatableComment = Updateable<Omit<Comments, 'id'>>;
 export type Attachment = Selectable<Attachments>;
 export type InsertableAttachment = Insertable<Attachments>;
 export type UpdatableAttachment = Updateable<Omit<Attachments, 'id'>>;
+
+// User Tokens
+export type UserToken = Selectable<UserTokens>;
+export type InsertableUserToken = Insertable<UserTokens>;
+export type UpdatableUserToken = Updateable<Omit<UserTokens, 'id'>>;

apps/server/src/integrations/environment/environment.service.ts

@@ -62,9 +62,9 @@ export class EnvironmentService {
   getAwsS3Endpoint(): string {
     return this.configService.get<string>('AWS_S3_ENDPOINT');
   }
-  
+
   getAwsS3ForcePathStyle(): boolean {
-    return this.configService.get<boolean>('AWS_S3_FORCE_PATH_STYLE')
+    return this.configService.get<boolean>('AWS_S3_FORCE_PATH_STYLE');
   }
 
   getAwsS3Url(): string {

apps/server/src/integrations/import/import.module.ts

@@ -4,6 +4,6 @@ import { ImportController } from './import.controller';
 
 @Module({
   providers: [ImportService],
-  controllers: [ImportController]
+  controllers: [ImportController],
 })
 export class ImportModule {}

apps/server/src/integrations/mail/providers/mail.provider.ts

@@ -27,11 +27,14 @@ export const mailDriverConfigProvider = {
     switch (driver) {
       case MailOption.SMTP:
         let auth = undefined;
-        if (environmentService.getSmtpUsername() && environmentService.getSmtpPassword()) {
+        if (
+          environmentService.getSmtpUsername() &&
+          environmentService.getSmtpPassword()
+        ) {
           auth = {
-              user: environmentService.getSmtpUsername(),
+            user: environmentService.getSmtpUsername(),
-              pass: environmentService.getSmtpPassword(),
+            pass: environmentService.getSmtpPassword(),
-            };
+          };
         }
         return {
           driver,

apps/server/src/integrations/transactional/emails/forgot-password-email.tsx

@@ -0,0 +1,27 @@
+import { Section, Text } from '@react-email/components';
+import * as React from 'react';
+import { content, paragraph } from '../css/styles';
+import { MailBody } from '../partials/partials';
+
+interface Props {
+    username: string;
+    code: string;
+}
+
+export const ForgotPasswordEmail = ({ username, code }: Props) => {
+    return (
+        <MailBody>
+          <Section style={content}>
+            <Text style={paragraph}>Hi {username},</Text>
+            <Text style={paragraph}>
+              The code for resetting your password is: <strong>{code}</strong>.
+            </Text>
+            <Text style={paragraph}>
+              If you did not request a password reset, please ignore this email.
+            </Text>
+          </Section>
+        </MailBody>
+      );
+}
+
+export default ForgotPasswordEmail;

apps/server/src/integrations/transactional/utils/utils.ts

@@ -1,6 +1,6 @@
 export const formatDate = (date: Date) => {
-  new Intl.DateTimeFormat("en", {
+  new Intl.DateTimeFormat('en', {
-    dateStyle: "medium",
+    dateStyle: 'medium',
-    timeStyle: "medium",
+    timeStyle: 'medium',
   }).format(date);
 };