overleaf-cep/services/web/app/src/Features/PasswordReset/PasswordResetController.js

const PasswordResetHandler = require('./PasswordResetHandler')
const AuthenticationController = require('../Authentication/AuthenticationController')
const AuthenticationManager = require('../Authentication/AuthenticationManager')
const SessionManager = require('../Authentication/SessionManager')
const UserGetter = require('../User/UserGetter')
const UserUpdater = require('../User/UserUpdater')
const UserSessionsManager = require('../User/UserSessionsManager')
const OError = require('@overleaf/o-error')
const EmailsHelper = require('../Helpers/EmailHelper')
const { expressify } = require('@overleaf/promise-utils')

async function setNewUserPassword(req, res, next) {
  let user
  let { passwordResetToken, password, email } = req.body
  if (!passwordResetToken || !password) {
    return res.status(400).json({
      message: {
        key: 'invalid-password',
      },
    })
  }

  const err = AuthenticationManager.validatePassword(password, email)
  if (err) {
    const message = AuthenticationManager.getMessageForInvalidPasswordError(
      err,
      req
    )
    return res.status(400).json({ message })
  }

  passwordResetToken = passwordResetToken.trim()
  delete req.session.resetToken

  const initiatorId = SessionManager.getLoggedInUserId(req.session)
  // password reset via tokens can be done while logged in, or not
  const auditLog = {
    initiatorId,
    ip: req.ip,
  }

  try {
    const result = await PasswordResetHandler.promises.setNewUserPassword(
      passwordResetToken,
      password,
      auditLog
    )
    const { found, reset, userId } = result
    if (!found) {
      return res.status(404).json({
        message: {
          key: 'token-expired',
        },
      })
    }
    if (!reset) {
      return res.status(500).json({
        message: req.i18n.translate('error_performing_request'),
      })
    }
    await UserSessionsManager.promises.revokeAllUserSessions(
      { _id: userId },
      []
    )
    await UserUpdater.promises.removeReconfirmFlag(userId)
    if (!req.session.doLoginAfterPasswordReset) {
      return res.sendStatus(200)
    }
    user = await UserGetter.promises.getUser(userId)
  } catch (error) {
    if (error.name === 'NotFoundError') {
      return res.status(404).json({
        message: {
          key: 'token-expired',
        },
      })
    } else if (error.name === 'InvalidPasswordError') {
      return res.status(400).json({
        message: {
          key: 'invalid-password',
        },
      })
    } else if (error.name === 'PasswordMustBeDifferentError') {
      return res.status(400).json({
        message: {
          key: 'password-must-be-different',
        },
      })
    } else if (error.name === 'PasswordReusedError') {
      return res.status(400).json({
        message: {
          key: 'password-must-be-strong',
        },
      })
    } else {
      return res.status(500).json({
        message: req.i18n.translate('error_performing_request'),
      })
    }
  }
  AuthenticationController.setAuditInfo(req, {
    method: 'Password reset, set new password',
  })
  AuthenticationController.finishLogin(user, req, res, next)
}

async function requestReset(req, res, next) {
  const email = EmailsHelper.parseEmail(req.body.email)
  if (!email) {
    return res.status(400).json({
      message: req.i18n.translate('must_be_email_address'),
    })
  }

  let status
  try {
    status = await PasswordResetHandler.promises.generateAndEmailResetToken(
      email
    )
  } catch (err) {
    OError.tag(err, 'failed to generate and email password reset token', {
      email,
    })
    if (err.message === 'user does not have permission for change-password') {
      return res.status(403).json({
        message: {
          key: 'no-password-allowed-due-to-sso',
        },
      })
    }
    throw err
  }

  if (status === 'primary') {
    return res.status(200).json({
      message: req.i18n.translate('password_reset_email_sent'),
    })
  } else if (status === 'secondary') {
    return res.status(404).json({
      message: req.i18n.translate('secondary_email_password_reset'),
    })
  } else {
    return res.status(404).json({
      message: req.i18n.translate('cant_find_email'),
    })
  }
}

module.exports = {
  renderRequestResetForm(req, res) {
    const errorQuery = req.query.error
    let error = null
    if (errorQuery === 'token_expired') {
      error = 'password_reset_token_expired'
    }
    res.render('user/passwordReset', {
      title: 'reset_password',
      error,
    })
  },

  requestReset: expressify(requestReset),

  renderSetPasswordForm(req, res) {
    if (req.query.passwordResetToken != null) {
      return PasswordResetHandler.getUserForPasswordResetToken(
        req.query.passwordResetToken,
        (err, result) => {
          const { user, remainingPeeks } = result || {}
          if (err || !user || remainingPeeks <= 0) {
            return res.redirect('/user/password/reset?error=token_expired')
          }
          req.session.resetToken = req.query.passwordResetToken
          let emailQuery = ''
          if (typeof req.query.email === 'string') {
            const email = EmailsHelper.parseEmail(req.query.email)
            if (email) {
              emailQuery = `?email=${encodeURIComponent(email)}`
            }
          }
          return res.redirect('/user/password/set' + emailQuery)
        }
      )
    }
    if (req.session.resetToken == null) {
      return res.redirect('/user/password/reset')
    }
    const email = EmailsHelper.parseEmail(req.query.email)
    res.render('user/setPassword', {
      title: 'set_password',
      email,
      passwordResetToken: req.session.resetToken,
    })
  },

  setNewUserPassword: expressify(setNewUserPassword),
}