planka/server/api/controllers/users/update-password.js

/*!
 * Copyright (c) 2024 PLANKA Software GmbH
 * Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md
 */

/**
 * @swagger
 * /users/{id}/password:
 *   patch:
 *     summary: Update user password
 *     description: Updates a user's password. Users must provide a current password when updating their own password. Admins can update any user's password without the current password. Returns a new access token when updating own password.
 *     tags:
 *       - Users
 *     operationId: updateUserPassword
 *     parameters:
 *       - in: path
 *         name: id
 *         required: true
 *         description: ID of the user whose password to update
 *         schema:
 *           type: string
 *           example: "1357158568008091264"
 *     requestBody:
 *       required: true
 *       content:
 *         application/json:
 *           schema:
 *             type: object
 *             required:
 *               - password
 *             properties:
 *               password:
 *                 type: string
 *                 maxLength: 256
 *                 description: Password (must meet password requirements)
 *                 example: SecurePassword123!
 *               currentPassword:
 *                 type: string
 *                 maxLength: 256
 *                 description: Current password (required when updating own password)
 *                 example: SecurePassword456!
 *     responses:
 *       200:
 *         description: Password updated successfully
 *         content:
 *           application/json:
 *             schema:
 *               type: object
 *               required:
 *                 - item
 *               properties:
 *                 item:
 *                   $ref: '#/components/schemas/User'
 *                 included:
 *                   type: object
 *                   required:
 *                     - accessToken
 *                   properties:
 *                     accessToken:
 *                       type: string
 *                       description: New acces tokens (when updating own password)
 *                       example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ4...
 *       400:
 *         $ref: '#/components/responses/ValidationError'
 *       401:
 *         $ref: '#/components/responses/Unauthorized'
 *       403:
 *         $ref: '#/components/responses/Forbidden'
 *       404:
 *         $ref: '#/components/responses/NotFound'
 */

const bcrypt = require('bcrypt');

const { isPassword } = require('../../../utils/validators');
const { idInput } = require('../../../utils/inputs');
const { getRemoteAddress } = require('../../../utils/remote-address');

const Errors = {
  NOT_ENOUGH_RIGHTS: {
    notEnoughRights: 'Not enough rights',
  },
  INVALID_CURRENT_PASSWORD: {
    invalidCurrentPassword: 'Invalid current password',
  },
  USER_NOT_FOUND: {
    userNotFound: 'User not found',
  },
};

module.exports = {
  inputs: {
    id: {
      ...idInput,
      required: true,
    },
    password: {
      type: 'string',
      maxLength: 256,
      custom: isPassword,
      required: true,
    },
    currentPassword: {
      type: 'string',
      isNotEmptyString: true,
      maxLength: 256,
    },
  },

  exits: {
    notEnoughRights: {
      responseType: 'forbidden',
    },
    invalidCurrentPassword: {
      responseType: 'forbidden',
    },
    userNotFound: {
      responseType: 'notFound',
    },
  },

  async fn(inputs) {
    const { currentSession, currentUser } = this.req;

    if (inputs.id === currentUser.id) {
      if (!inputs.currentPassword) {
        throw Errors.INVALID_CURRENT_PASSWORD;
      }
    } else if (currentUser.role !== User.Roles.ADMIN) {
      throw Errors.USER_NOT_FOUND; // Forbidden
    }

    let user = await User.qm.getOneById(inputs.id);

    if (!user) {
      throw Errors.USER_NOT_FOUND;
    }

    if (user.email === sails.config.custom.defaultAdminEmail || user.isSsoUser) {
      throw Errors.NOT_ENOUGH_RIGHTS;
    }

    if (inputs.id === currentUser.id) {
      const isCurrentPasswordValid = await bcrypt.compare(inputs.currentPassword, user.password);

      if (!isCurrentPasswordValid) {
        throw Errors.INVALID_CURRENT_PASSWORD;
      }
    }

    const values = _.pick(inputs, ['password']);

    user = await sails.helpers.users.updateOne.with({
      values,
      record: user,
      actorUser: currentUser,
      request: this.req,
    });

    if (!user) {
      throw Errors.USER_NOT_FOUND;
    }

    if (user.id === currentUser.id) {
      const { token: accessToken } = sails.helpers.utils.createJwtToken(
        user.id,
        user.passwordChangedAt,
      );

      await Session.qm.createOne({
        accessToken,
        httpOnlyToken: currentSession.httpOnlyToken,
        userId: user.id,
        remoteAddress: getRemoteAddress(this.req),
        userAgent: this.req.headers['user-agent'],
      });

      return {
        item: sails.helpers.users.presentOne(user, currentUser),
        included: {
          accessToken,
        },
      };
    }

    return {
      item: sails.helpers.users.presentOne(user, currentUser),
    };
  },
};