server/api/controllers/users/update-username.js

/*!
 * Copyright (c) 2024 PLANKA Software GmbH
 * Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md
 */

/**
 * @swagger
 * /users/{id}/username:
 *   patch:
 *     summary: Update user username
 *     description: Updates a user's username. Users must provide a current password when updating their own username (unless they are SSO users with `oidcIgnoreUsername` enabled). Admins can update any user's username without the current password.
 *     tags:
 *       - Users
 *     parameters:
 *       - in: path
 *         name: id
 *         required: true
 *         description: ID of the user whose username to update
 *         schema:
 *           type: string
 *           example: 1357158568008091264
 *     requestBody:
 *       required: true
 *       content:
 *         application/json:
 *           schema:
 *             type: object
 *             properties:
 *               username:
 *                 type: string
 *                 minLength: 3
 *                 maxLength: 16
 *                 pattern: '^[a-zA-Z0-9]+((_|\.)?[a-zA-Z0-9])*$'
 *                 nullable: true
 *                 description: Unique username for user identification
 *                 example: john_doe
 *               currentPassword:
 *                 type: string
 *                 maxLength: 256
 *                 description: Current password (required when updating own username)
 *                 example: SecurePassword123!
 *     responses:
 *       200:
 *         description: Username updated successfully
 *         content:
 *           application/json:
 *             schema:
 *               type: object
 *               required:
 *                 - item
 *               properties:
 *                 item:
 *                   $ref: '#/components/schemas/User'
 *       400:
 *         $ref: '#/components/responses/ValidationError'
 *       401:
 *         $ref: '#/components/responses/Unauthorized'
 *       403:
 *         $ref: '#/components/responses/Forbidden'
 *       404:
 *         $ref: '#/components/responses/NotFound'
 *       409:
 *         $ref: '#/components/responses/Conflict'
 */

const bcrypt = require('bcrypt');

const { idInput } = require('../../../utils/inputs');

const Errors = {
  NOT_ENOUGH_RIGHTS: {
    notEnoughRights: 'Not enough rights',
  },
  INVALID_CURRENT_PASSWORD: {
    invalidCurrentPassword: 'Invalid current password',
  },
  USER_NOT_FOUND: {
    userNotFound: 'User not found',
  },
  USERNAME_ALREADY_IN_USE: {
    usernameAlreadyInUse: 'Username already in use',
  },
};

module.exports = {
  inputs: {
    id: {
      ...idInput,
      required: true,
    },
    username: {
      type: 'string',
      isNotEmptyString: true,
      minLength: 3,
      maxLength: 16,
      regex: /^[a-zA-Z0-9]+((_|\.)?[a-zA-Z0-9])*$/,
      allowNull: true,
    },
    currentPassword: {
      type: 'string',
      isNotEmptyString: true,
      maxLength: 256,
    },
  },

  exits: {
    notEnoughRights: {
      responseType: 'forbidden',
    },
    invalidCurrentPassword: {
      responseType: 'forbidden',
    },
    userNotFound: {
      responseType: 'notFound',
    },
    usernameAlreadyInUse: {
      responseType: 'conflict',
    },
  },

  async fn(inputs) {
    const { currentUser } = this.req;

    if (inputs.id !== currentUser.id && currentUser.role !== User.Roles.ADMIN) {
      throw Errors.USER_NOT_FOUND; // Forbidden
    }

    let user = await User.qm.getOneById(inputs.id);

    if (!user) {
      throw Errors.USER_NOT_FOUND;
    }

    if (user.email === sails.config.custom.defaultAdminEmail) {
      throw Errors.NOT_ENOUGH_RIGHTS;
    }

    if (user.isSsoUser) {
      if (!sails.config.custom.oidcIgnoreUsername) {
        throw Errors.NOT_ENOUGH_RIGHTS;
      }
    } else if (inputs.id === currentUser.id) {
      if (!inputs.currentPassword) {
        throw Errors.INVALID_CURRENT_PASSWORD;
      }

      const isCurrentPasswordValid = await bcrypt.compare(inputs.currentPassword, user.password);

      if (!isCurrentPasswordValid) {
        throw Errors.INVALID_CURRENT_PASSWORD;
      }
    }

    const values = _.pick(inputs, ['username']);

    user = await sails.helpers.users.updateOne
      .with({
        values,
        record: user,
        actorUser: currentUser,
        request: this.req,
      })
      .intercept('usernameAlreadyInUse', () => Errors.USERNAME_ALREADY_IN_USE);

    if (!user) {
      throw Errors.USER_NOT_FOUND;
    }

    return {
      item: sails.helpers.users.presentOne(user, currentUser),
    };
  },
};
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`/*!`
			`* Copyright (c) 2024 PLANKA Software GmbH`
			`* Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md`
			`*/`

docs: Add full Swagger JSDoc coverage 2025-09-08 16:20:27 +02:00			`/**`
			`* @swagger`
docs: Add base path for API endpoints to Swagger 2025-09-08 18:25:26 +02:00			`* /users/{id}/username:`
docs: Add full Swagger JSDoc coverage 2025-09-08 16:20:27 +02:00			`* patch:`
			`* summary: Update user username`
			* description: Updates a user's username. Users must provide a current password when updating their own username (unless they are SSO users with `oidcIgnoreUsername` enabled). Admins can update any user's username without the current password.
			`* tags:`
			`* - Users`
			`* parameters:`
			`* - in: path`
			`* name: id`
			`* required: true`
			`* description: ID of the user whose username to update`
			`* schema:`
			`* type: string`
			`* example: 1357158568008091264`
			`* requestBody:`
			`* required: true`
			`* content:`
			`* application/json:`
			`* schema:`
			`* type: object`
			`* properties:`
			`* username:`
			`* type: string`
			`* minLength: 3`
			`* maxLength: 16`
			`* pattern: '^[a-zA-Z0-9]+((_\|\.)?[a-zA-Z0-9])*$'`
			`* nullable: true`
			`* description: Unique username for user identification`
			`* example: john_doe`
			`* currentPassword:`
			`* type: string`
			`* maxLength: 256`
			`* description: Current password (required when updating own username)`
			`* example: SecurePassword123!`
			`* responses:`
			`* 200:`
			`* description: Username updated successfully`
			`* content:`
			`* application/json:`
			`* schema:`
			`* type: object`
			`* required:`
			`* - item`
			`* properties:`
			`* item:`
			`* $ref: '#/components/schemas/User'`
			`* 400:`
			`* $ref: '#/components/responses/ValidationError'`
			`* 401:`
			`* $ref: '#/components/responses/Unauthorized'`
			`* 403:`
			`* $ref: '#/components/responses/Forbidden'`
			`* 404:`
			`* $ref: '#/components/responses/NotFound'`
			`* 409:`
			`* $ref: '#/components/responses/Conflict'`
			`*/`

Add username to user 2020-04-03 00:35:25 +05:00			`const bcrypt = require('bcrypt');`

feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`const { idInput } = require('../../../utils/inputs');`

Add username to user 2020-04-03 00:35:25 +05:00			`const Errors = {`
fix: OIDC finalization and refactoring 2023-10-17 19:18:19 +02:00			`NOT_ENOUGH_RIGHTS: {`
			`notEnoughRights: 'Not enough rights',`
			`},`
Add username to user 2020-04-03 00:35:25 +05:00			`INVALID_CURRENT_PASSWORD: {`
			`invalidCurrentPassword: 'Invalid current password',`
			`},`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`USER_NOT_FOUND: {`
			`userNotFound: 'User not found',`
			`},`
Add username to user 2020-04-03 00:35:25 +05:00			`USERNAME_ALREADY_IN_USE: {`
			`usernameAlreadyInUse: 'Username already in use',`
			`},`
			`};`

			`module.exports = {`
			`inputs: {`
			`id: {`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`...idInput,`
Add username to user 2020-04-03 00:35:25 +05:00			`required: true,`
			`},`
			`username: {`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`type: 'string',`
Add username to user 2020-04-03 00:35:25 +05:00			`isNotEmptyString: true,`
			`minLength: 3,`
			`maxLength: 16,`
Allow dots in username. Closes #116 2021-04-13 18:59:02 +05:00			`regex: /^[a-zA-Z0-9]+((_\|\.)?[a-zA-Z0-9])*$/,`
Add username to user 2020-04-03 00:35:25 +05:00			`allowNull: true,`
			`},`
			`currentPassword: {`
			`type: 'string',`
			`isNotEmptyString: true,`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`maxLength: 256,`
Add username to user 2020-04-03 00:35:25 +05:00			`},`
			`},`

			`exits: {`
fix: OIDC finalization and refactoring 2023-10-17 19:18:19 +02:00			`notEnoughRights: {`
			`responseType: 'forbidden',`
			`},`
Add username to user 2020-04-03 00:35:25 +05:00			`invalidCurrentPassword: {`
			`responseType: 'forbidden',`
			`},`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`userNotFound: {`
			`responseType: 'notFound',`
			`},`
Add username to user 2020-04-03 00:35:25 +05:00			`usernameAlreadyInUse: {`
			`responseType: 'conflict',`
			`},`
			`},`

Project managers, board members, auto-update after reconnection, refactoring 2021-06-24 01:05:22 +05:00			`async fn(inputs) {`
Add username to user 2020-04-03 00:35:25 +05:00			`const { currentUser } = this.req;`

feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`if (inputs.id !== currentUser.id && currentUser.role !== User.Roles.ADMIN) {`
Add username to user 2020-04-03 00:35:25 +05:00			`throw Errors.USER_NOT_FOUND; // Forbidden`
			`}`

feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`let user = await User.qm.getOneById(inputs.id);`
Add username to user 2020-04-03 00:35:25 +05:00
			`if (!user) {`
			`throw Errors.USER_NOT_FOUND;`
			`}`

feat: Add ability to map OIDC attributes and ignore username Closes #554 2024-01-25 23:01:59 +01:00			`if (user.email === sails.config.custom.defaultAdminEmail) {`
fix: OIDC finalization and refactoring 2023-10-17 19:18:19 +02:00			`throw Errors.NOT_ENOUGH_RIGHTS;`
feat: Use environment variables for default admin configuration 2023-09-12 01:12:38 +02:00			`}`

feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`if (user.isSsoUser) {`
feat: Add ability to map OIDC attributes and ignore username Closes #554 2024-01-25 23:01:59 +01:00			`if (!sails.config.custom.oidcIgnoreUsername) {`
			`throw Errors.NOT_ENOUGH_RIGHTS;`
			`}`
			`} else if (inputs.id === currentUser.id) {`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`if (!inputs.currentPassword) {`
			`throw Errors.INVALID_CURRENT_PASSWORD;`
			`}`

			`const isCurrentPasswordValid = await bcrypt.compare(inputs.currentPassword, user.password);`

			`if (!isCurrentPasswordValid) {`
feat: Add ability to map OIDC attributes and ignore username Closes #554 2024-01-25 23:01:59 +01:00			`throw Errors.INVALID_CURRENT_PASSWORD;`
			`}`
Add username to user 2020-04-03 00:35:25 +05:00			`}`

			`const values = _.pick(inputs, ['username']);`

ref: Remove board types, refactoring 2022-12-26 21:10:50 +01:00			`user = await sails.helpers.users.updateOne`
			`.with({`
			`values,`
			`record: user,`
feat: Webhooks configuration, all events support, refactoring 2024-06-12 00:51:36 +02:00			`actorUser: currentUser,`
ref: Remove board types, refactoring 2022-12-26 21:10:50 +01:00			`request: this.req,`
			`})`
Add username to user 2020-04-03 00:35:25 +05:00			`.intercept('usernameAlreadyInUse', () => Errors.USERNAME_ALREADY_IN_USE);`

			`if (!user) {`
			`throw Errors.USER_NOT_FOUND;`
			`}`

Project managers, board members, auto-update after reconnection, refactoring 2021-06-24 01:05:22 +05:00			`return {`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`item: sails.helpers.users.presentOne(user, currentUser),`
Project managers, board members, auto-update after reconnection, refactoring 2021-06-24 01:05:22 +05:00			`};`
Add username to user 2020-04-03 00:35:25 +05:00			`},`
			`};`