feat(backend): forgot password (#250)

* feat(backend): forgot password * feat: apply feedback from code review * chore(auth): validate the minimum length of 'newPassword' * chore(auth): make token has an expiry of 1 hour * chore: rename all occurrences of 'code' to 'token' * chore(backend): provide value on nanoIdGen method
2025-11-12 16:12:39 +10:00 · 2024-09-17 21:52:47 +07:00
parent 6a3a7721be
commit f34812653e
12 changed files with 306 additions and 16 deletions
--- a/apps/server/src/core/auth/auth.controller.ts
+++ b/apps/server/src/core/auth/auth.controller.ts
@ -19,6 +19,7 @@ import { AuthUser } from '../../common/decorators/auth-user.decorator';
 import { User, Workspace } from '@docmost/db/types/entity.types';
 import { AuthWorkspace } from '../../common/decorators/auth-workspace.decorator';
 import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
+import { ForgotPasswordDto } from './dto/forgot-password.dto';

@Controller('auth')
 export class AuthController {
@ -33,6 +34,18 @@ export class AuthController {
    return this.authService.login(loginInput, req.raw.workspaceId);
  }

+  @HttpCode(HttpStatus.OK)
+  @Post('forgot-password')
+  async forgotPassword(
+    @Req() req,
+    @Body() forgotPasswordDto: ForgotPasswordDto,
+  ) {
+    return this.authService.forgotPassword(
+      forgotPasswordDto,
+      req.raw.workspaceId,
+    );
+  }
+
  /* @HttpCode(HttpStatus.OK)
  @Post('register')
  async register(@Req() req, @Body() createUserDto: CreateUserDto) {
--- a/apps/server/src/core/auth/dto/forgot-password.dto.ts
+++ b/apps/server/src/core/auth/dto/forgot-password.dto.ts
@ -0,0 +1,16 @@
+import { IsEmail, IsNotEmpty, IsOptional, IsString, MinLength } from 'class-validator';
+
+export class ForgotPasswordDto {
+  @IsNotEmpty()
+  @IsEmail()
+  email: string;
+
+  @IsOptional()
+  @IsString()
+  token: string;
+
+  @IsOptional()
+  @IsString()
+  @MinLength(8)
+  newPassword: string;
+}
--- a/apps/server/src/core/auth/services/auth.service.ts
+++ b/apps/server/src/core/auth/services/auth.service.ts
@ -11,10 +11,13 @@ import { TokensDto } from '../dto/tokens.dto';
 import { SignupService } from './signup.service';
 import { CreateAdminUserDto } from '../dto/create-admin-user.dto';
 import { UserRepo } from '@docmost/db/repos/user/user.repo';
-import { comparePasswordHash, hashPassword } from '../../../common/helpers';
+import { comparePasswordHash, hashPassword, nanoIdGen } from '../../../common/helpers';
 import { ChangePasswordDto } from '../dto/change-password.dto';
 import { MailService } from '../../../integrations/mail/mail.service';
 import ChangePasswordEmail from '@docmost/transactional/emails/change-password-email';
+import { ForgotPasswordDto } from '../dto/forgot-password.dto';
+import ForgotPasswordEmail from '@docmost/transactional/emails/forgot-password-email';
+import { UserTokensRepo } from '@docmost/db/repos/user-tokens/user-tokens.repo';

@Injectable()
 export class AuthService {
@ -22,6 +25,7 @@ export class AuthService {
    private signupService: SignupService,
    private tokenService: TokenService,
    private userRepo: UserRepo,
+    private userTokensRepo: UserTokensRepo,
    private mailService: MailService,
  ) {}

@ -46,6 +50,94 @@ export class AuthService {
    return { tokens };
  }

+  async forgotPassword(
+    forgotPasswordDto: ForgotPasswordDto,
+    workspaceId: string,
+  ) {
+    const user = await this.userRepo.findByEmail(
+      forgotPasswordDto.email,
+      workspaceId,
+      true,
+    );
+    if (!user) {
+      return;
+    }
+
+    if (
+      forgotPasswordDto.token == null ||
+      forgotPasswordDto.newPassword == null
+    ) {
+      // Generate 5-character user token
+      const code = nanoIdGen(5).toUpperCase();
+      const hashedToken = await hashPassword(code);
+      await this.userTokensRepo.insertUserToken({
+        token: hashedToken,
+        user_id: user.id,
+        workspace_id: user.workspaceId,
+        expires_at: new Date(new Date().getTime() + 3_600_000), // should expires in 1 hour
+        type: "forgot-password",
+      });
+
+      const emailTemplate = ForgotPasswordEmail({
+        username: user.name,
+        code: code,
+      });
+      await this.mailService.sendToQueue({
+        to: user.email,
+        subject: 'Reset your password',
+        template: emailTemplate,
+      });
+
+      return;
+    }
+
+    // Get all user tokens that are not expired
+    const userTokens = await this.userTokensRepo.findByUserId(
+      user.id,
+      user.workspaceId,
+      "forgot-password"
+    );
+    // Limit to the last 3 token, so we have a total time window of 15 minutes
+    const validUserTokens = userTokens
+      .filter((token) => token.expires_at > new Date() && token.used_at == null)
+      .slice(0, 3);
+
+    for (const token of validUserTokens) {
+      const validated = await comparePasswordHash(
+        forgotPasswordDto.token,
+        token.token,
+      );
+      if (validated) {
+        await Promise.all([
+          this.userTokensRepo.deleteUserToken(user.id, user.workspaceId, "forgot-password"),
+          this.userTokensRepo.deleteExpiredUserTokens(),
+        ]);
+
+        const newPasswordHash = await hashPassword(
+          forgotPasswordDto.newPassword,
+        );
+        await this.userRepo.updateUser(
+          {
+            password: newPasswordHash,
+          },
+          user.id,
+          workspaceId,
+        );
+
+        const emailTemplate = ChangePasswordEmail({ username: user.name });
+        await this.mailService.sendToQueue({
+          to: user.email,
+          subject: 'Your password has been changed',
+          template: emailTemplate,
+        });
+
+        return;
+      }
+    }
+
+    throw new BadRequestException('Incorrect code');
+  }
+
  async register(createUserDto: CreateUserDto, workspaceId: string) {
    const user = await this.signupService.signup(createUserDto, workspaceId);

--- a/apps/server/src/database/migrations/20240903T124647-user-tokens.ts
+++ b/apps/server/src/database/migrations/20240903T124647-user-tokens.ts
@ -0,0 +1,27 @@
+import { sql, Kysely } from 'kysely';
+
+export async function up(db: Kysely<any>): Promise<void> {
+  await db.schema
+    .createTable('user_tokens')
+    .addColumn('id', 'uuid', (col) =>
+      col.primaryKey().defaultTo(sql`gen_uuid_v7()`),
+    )
+    .addColumn('token', 'varchar', (col) => col.notNull())
+    .addColumn('user_id', 'uuid', (col) =>
+      col.notNull().references('users.id').onDelete('cascade'),
+    )
+    .addColumn('workspace_id', 'uuid', (col) =>
+      col.references('workspaces.id').onDelete('cascade'),
+    )
+    .addColumn('type', 'varchar', (col) => col.notNull())
+    .addColumn('expires_at', 'timestamptz')
+    .addColumn('used_at', 'timestamptz', (col) => col)
+    .addColumn('created_at', 'timestamptz', (col) =>
+      col.notNull().defaultTo(sql`now()`),
+    )
+    .execute();
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await db.schema.dropTable('user_tokens').execute();
+}
--- a/apps/server/src/database/repos/user-tokens/user-tokens.repo.ts
+++ b/apps/server/src/database/repos/user-tokens/user-tokens.repo.ts
@ -0,0 +1,89 @@
+import {
+  InsertableUserToken,
+  UpdatableUserToken,
+} from '@docmost/db/types/entity.types';
+import { KyselyDB, KyselyTransaction } from '@docmost/db/types/kysely.types';
+import { dbOrTx } from '@docmost/db/utils';
+import { Injectable } from '@nestjs/common';
+import { InjectKysely } from 'nestjs-kysely';
+
+@Injectable()
+export class UserTokensRepo {
+  constructor(@InjectKysely() private readonly db: KyselyDB) {}
+
+  async insertUserToken(
+    insertableUserToken: InsertableUserToken,
+    trx?: KyselyTransaction,
+  ) {
+    const db = dbOrTx(this.db, trx);
+    return db
+      .insertInto('userTokens')
+      .values(insertableUserToken)
+      .returningAll()
+      .executeTakeFirst();
+  }
+
+  async findByUserId(
+    userId: string,
+    workspaceId: string,
+    tokenType: string,
+    trx?: KyselyTransaction,
+  ) {
+    const db = dbOrTx(this.db, trx);
+    return db
+      .selectFrom('userTokens')
+      .select([
+        'id',
+        'token',
+        'user_id',
+        'workspace_id',
+        'type',
+        'expires_at',
+        'used_at',
+        'created_at',
+      ])
+      .where('user_id', '=', userId)
+      .where('workspace_id', '=', workspaceId)
+      .where('type', '=', tokenType)
+      .orderBy('expires_at desc')
+      .execute();
+  }
+
+  async updateUserToken(
+    updatableUserToken: UpdatableUserToken,
+    userTokenId: string,
+    trx?: KyselyTransaction,
+  ) {
+    const db = dbOrTx(this.db, trx);
+    return db
+      .updateTable('userTokens')
+      .set({ ...updatableUserToken })
+      .where('id', '=', userTokenId)
+      .execute();
+  }
+
+  async deleteUserToken(
+    userId: string,
+    workspaceId: string,
+    tokenType: string,
+    trx?: KyselyTransaction,
+  ) {
+    const db = dbOrTx(this.db, trx);
+    return db
+      .deleteFrom('userTokens')
+      .where('user_id', '=', userId)
+      .where('workspace_id', '=', workspaceId)
+      .where('type', '=', tokenType)
+      .execute();
+  }
+
+  async deleteExpiredUserTokens(
+    trx?: KyselyTransaction,
+  ) {
+    const db = dbOrTx(this.db, trx);
+    return db
+      .deleteFrom('userTokens')
+      .where('expires_at', '<', new Date())
+      .execute(); 
+  }
+}
--- a/apps/server/src/database/types/db.d.ts
+++ b/apps/server/src/database/types/db.d.ts
@ -1,10 +1,15 @@
-import type { ColumnType } from "kysely";
+import type { ColumnType } from 'kysely';

-export type Generated<T> = T extends ColumnType<infer S, infer I, infer U>
+export type Generated<T> =
+  T extends ColumnType<infer S, infer I, infer U>
    ? ColumnType<S, I | undefined, U>
    : ColumnType<T, T | undefined, T>;

-export type Int8 = ColumnType<string, bigint | number | string, bigint | number | string>;
+export type Int8 = ColumnType<
+  string,
+  bigint | number | string,
+  bigint | number | string
+>;

 export type Json = JsonValue;

@ -185,6 +190,17 @@ export interface Workspaces {
  updatedAt: Generated<Timestamp>;
 }

+export interface UserTokens {
+  id: Generated<string>;
+  token: string;
+  user_id: string;
+  workspace_id: string;
+  type: string;
+  expires_at: Timestamp | null;
+  used_at: Timestamp | null;
+  created_at: Generated<Timestamp>;
+}
+
 export interface DB {
  attachments: Attachments;
  comments: Comments;
@ -197,4 +213,5 @@ export interface DB {
  users: Users;
  workspaceInvitations: WorkspaceInvitations;
  workspaces: Workspaces;
+  userTokens: UserTokens;
 }
--- a/apps/server/src/database/types/entity.types.ts
+++ b/apps/server/src/database/types/entity.types.ts
@ -11,6 +11,7 @@ import {
  GroupUsers,
  SpaceMembers,
  WorkspaceInvitations,
+  UserTokens,
 } from './db';

 // Workspace
@ -71,3 +72,8 @@ export type UpdatableComment = Updateable<Omit<Comments, 'id'>>;
 export type Attachment = Selectable<Attachments>;
 export type InsertableAttachment = Insertable<Attachments>;
 export type UpdatableAttachment = Updateable<Omit<Attachments, 'id'>>;
+
+// User Tokens
+export type UserToken = Selectable<UserTokens>;
+export type InsertableUserToken = Insertable<UserTokens>;
+export type UpdatableUserToken = Updateable<Omit<UserTokens, 'id'>>;
--- a/apps/server/src/integrations/environment/environment.service.ts
+++ b/apps/server/src/integrations/environment/environment.service.ts
@ -64,7 +64,7 @@ export class EnvironmentService {
  }

  getAwsS3ForcePathStyle(): boolean {
-    return this.configService.get<boolean>('AWS_S3_FORCE_PATH_STYLE')
+    return this.configService.get<boolean>('AWS_S3_FORCE_PATH_STYLE');
  }

  getAwsS3Url(): string {
--- a/apps/server/src/integrations/import/import.module.ts
+++ b/apps/server/src/integrations/import/import.module.ts
@ -4,6 +4,6 @@ import { ImportController } from './import.controller';

@Module({
  providers: [ImportService],
-  controllers: [ImportController]
+  controllers: [ImportController],
 })
 export class ImportModule {}
--- a/apps/server/src/integrations/mail/providers/mail.provider.ts
+++ b/apps/server/src/integrations/mail/providers/mail.provider.ts
@ -27,7 +27,10 @@ export const mailDriverConfigProvider = {
    switch (driver) {
      case MailOption.SMTP:
        let auth = undefined;
-        if (environmentService.getSmtpUsername() && environmentService.getSmtpPassword()) {
+        if (
+          environmentService.getSmtpUsername() &&
+          environmentService.getSmtpPassword()
+        ) {
          auth = {
            user: environmentService.getSmtpUsername(),
            pass: environmentService.getSmtpPassword(),
--- a/apps/server/src/integrations/transactional/emails/forgot-password-email.tsx
+++ b/apps/server/src/integrations/transactional/emails/forgot-password-email.tsx
@ -0,0 +1,27 @@
+import { Section, Text } from '@react-email/components';
+import * as React from 'react';
+import { content, paragraph } from '../css/styles';
+import { MailBody } from '../partials/partials';
+
+interface Props {
+    username: string;
+    code: string;
+}
+
+export const ForgotPasswordEmail = ({ username, code }: Props) => {
+    return (
+        <MailBody>
+          <Section style={content}>
+            <Text style={paragraph}>Hi {username},</Text>
+            <Text style={paragraph}>
+              The code for resetting your password is: <strong>{code}</strong>.
+            </Text>
+            <Text style={paragraph}>
+              If you did not request a password reset, please ignore this email.
+            </Text>
+          </Section>
+        </MailBody>
+      );
+}
+
+export default ForgotPasswordEmail;
--- a/apps/server/src/integrations/transactional/utils/utils.ts
+++ b/apps/server/src/integrations/transactional/utils/utils.ts
@ -1,6 +1,6 @@
 export const formatDate = (date: Date) => {
-  new Intl.DateTimeFormat("en", {
-    dateStyle: "medium",
-    timeStyle: "medium",
+  new Intl.DateTimeFormat('en', {
+    dateStyle: 'medium',
+    timeStyle: 'medium',
  }).format(date);
 };