Feature: Set the password reset time to 1 hour [#68] (#459)

* New Crowdin updates (#457)

* New translations source.json (French)

* New translations source.json (Spanish)

* New translations source.json (Arabic)

* New translations source.json (Belarusian)

* New translations source.json (Bulgarian)

* New translations source.json (Czech)

* New translations source.json (German)

* New translations source.json (Finnish)

* New translations source.json (Japanese)

* New translations source.json (Georgian)

* New translations source.json (Lithuanian)

* New translations source.json (Macedonian)

* New translations source.json (Dutch)

* New translations source.json (Polish)

* New translations source.json (Russian)

* New translations source.json (Slovak)

* New translations source.json (Albanian)

* New translations source.json (Ukrainian)

* New translations source.json (Chinese Simplified)

* New translations source.json (Portuguese, Brazilian)

* New translations source.json (Indonesian)

* New translations source.json (Estonian)

* New translations source.json (Latvian)

* New translations source.json (Hindi)

* New translations source.json (English, United Kingdom)

* New translations source.json (Burmese)

* refactor redis, add cache

* add cache token for reset password link

---------

Co-authored-by: tiblu <[email protected]>

Author: 2 people

app.js

@@ -3,7 +3,6 @@
 const config = require('config');
 const express = require('express');
 const session = require('express-session');
-const RedisStoreSession = require("connect-redis").default
 const path = require('path');
 const cookieParser = require('cookie-parser');
 const bodyParser = require('body-parser');
@@ -35,39 +34,12 @@ const StreamUpload = require('stream_upload');
 const notifications = require('./libs/notifications');
 const SlowDown = require('express-slow-down');
 const rateLimit = require('express-rate-limit')
-const { createClient } = require('redis');
 const which = require('which');
 
-let rateLimitStore, speedLimitStore;
-if (config.rateLimit && config.rateLimit.storageType === 'redis') {
-    const { RedisStore } = require('rate-limit-redis');
-    const redisUrl = config.rateLimit.client?.url;
-    const redisOptions = config.rateLimit.client?.options;
-    const redisConf = Object.assign({ url: process.env.REDIS_URL || redisUrl }, redisOptions);
-    const client = createClient(redisConf);
-
-    client.on('error', err => logger.error('Redis Client Error', err))
-    client.on('end', () => {
-        logger.log('Redis connection ended');
-    });
-    client.connect();
-    rateLimitStore = new RedisStore({
-        client,
-        prefix: 'rl',
-        sendCommand: (...args) => client.sendCommand(args)
-    });
+const app = express();
+app.set('redis', require('./libs/redis')(app));
 
-    speedLimitStore = new RedisStore({
-        client,
-        prefix: 'sl',
-        sendCommand: (...args) => client.sendCommand(args)
-    });
-
-    /*Set Redis Session store*/
-    config.session.store = new RedisStoreSession({
-        client
-    });
-}
+const { rateLimitStore, speedLimitStore } = app.get('redis');
 
 const rateLimiter = function (allowedRequests, blockTime, skipSuccess) {
     if (app.get('env') === 'test') {
@@ -108,8 +80,6 @@ const speedLimiter = function (allowedRequests, skipSuccess, blockTime, delay) {
     })
 };
 
-const app = express();
-
 // Express settings
 // TODO: Would be nice if conf had express.settings.* and all from there would be set
 if (app.get('env') === 'production' || app.get('env') === 'test') {

libs/redis/cache.js

@@ -0,0 +1,22 @@
+"use strict";
+
+module.exports = function (client) {
+  const setResetPasswordToken = async (key, ttl, data) => {
+    await client.setEx(key, ttl, JSON.stringify(data));
+  };
+
+  const getResetPasswordToken = async (key) => {
+    const value = await client.get(key);
+    return value ? JSON.parse(value) : null;
+  };
+
+  const deleteResetPasswordToken = async (key) => {
+    await client.del(key);
+  };
+
+  return {
+    setResetPasswordToken,
+    getResetPasswordToken,
+    deleteResetPasswordToken,
+  };
+};

libs/redis/index.js

@@ -0,0 +1,40 @@
+"use strict";
+
+const config = require("config");
+const { createClient } = require("redis");
+const log4js = require("log4js");
+
+module.exports = function (app) {
+  const logger = log4js.getLogger(app.settings.env);
+
+  const redisUrl = config.rateLimit?.client?.url;
+  const redisOptions = config.rateLimit?.client?.options;
+  const redisConf = Object.assign(
+    { url: process.env.REDIS_URL || redisUrl },
+    redisOptions
+  );
+  const client = createClient(redisConf);
+
+  client.on("error", (err) => logger.error("Redis Client Error", err));
+  client.on("end", () => {
+    logger.log("Redis connection ended");
+  });
+  client.connect();
+
+  const {
+    setResetPasswordToken,
+    getResetPasswordToken,
+    deleteResetPasswordToken,
+  } = require("./cache")(client);
+
+  const { rateLimitStore, speedLimitStore } = require("./limitStores")(client);
+
+  return {
+    rateLimitStore,
+    speedLimitStore,
+    client,
+    setResetPasswordToken,
+    getResetPasswordToken,
+    deleteResetPasswordToken,
+  };
+};

libs/redis/limitStores.js

@@ -0,0 +1,32 @@
+"use strict";
+
+const config = require("config");
+const RedisStoreSession = require("connect-redis").default;
+const { RedisStore } = require("rate-limit-redis");
+
+module.exports = function (client) {
+  let rateLimitStore, speedLimitStore;
+  if (config.rateLimit && config.rateLimit.storageType === "redis") {
+    rateLimitStore = new RedisStore({
+      client,
+      prefix: "rl",
+      sendCommand: (...args) => client.sendCommand(args),
+    });
+
+    speedLimitStore = new RedisStore({
+      client,
+      prefix: "sl",
+      sendCommand: (...args) => client.sendCommand(args),
+    });
+
+    /*Set Redis Session store*/
+    config.session.store = new RedisStoreSession({
+      client,
+    });
+  }
+
+  return {
+    rateLimitStore,
+    speedLimitStore,
+  };
+};

routes/api/auth.js

@@ -27,6 +27,12 @@ module.exports = function (app) {
     const rateLimiter = app.get('rateLimiter');
     const expressRateLimitInput = app.get('middleware.expressRateLimitInput');
 
+    const {
+        setResetPasswordToken,
+        getResetPasswordToken,
+        deleteResetPasswordToken
+    } = app.get('redis')
+
     const User = models.User;
     const UserConnection = models.UserConnection;
     const UserConsent = models.UserConsent;
@@ -36,6 +42,9 @@ module.exports = function (app) {
     const COOKIE_NAME_OPENID_AUTH_STATE = 'cos.authStateOpenId';
     const COOKIE_NAME_COS_AUTH_STATE = 'cos.authState';
 
+    const cachedResetCodeKey = (userId) => `${userId}:resetPasswordToken`;
+    const CACHED_RESET_TOKEN_TTL = 3600;
+
     /**
      * Set state cookie with all in req.query when it does not exist
      *
@@ -441,7 +450,6 @@ module.exports = function (app) {
         return res.ok();
     }));
 
-
     app.post('/api/auth/password/reset/send', asyncMiddleware(async function (req, res) {
         const email = req.body.email;
         if (!email || !validator.isEmail(email)) {
@@ -458,11 +466,22 @@ module.exports = function (app) {
             return res.ok('Success! Please check your email :email to complete your password recovery.'.replace(':email', email));
         }
 
-        user.passwordResetCode = true; // Model will generate new code
-
-        await user.save({fields: ['passwordResetCode']});
+        const key = cachedResetCodeKey(user.id)
+        const cachedResetCode = await getResetPasswordToken(key);
+    
+        if (!cachedResetCode) {
+            user.passwordResetCode = true; // Model will generate new code
+            await user.save({ fields: ["passwordResetCode"] });
+            await setResetPasswordToken(key, CACHED_RESET_TOKEN_TTL, user.passwordResetCode);
+        }
+    
+        const passwordResetCode = cachedResetCode || user.passwordResetCode;
+    
+        const emailResult = await emailLib.sendPasswordReset(
+            user.email,
+            passwordResetCode
+        );
 
-        const emailResult = await emailLib.sendPasswordReset(user.email, user.passwordResetCode);
         if (emailResult.done.length === 0 && emailResult.errors.length) {
             return res.badRequest(emailResult.errors[0].details)
         }
@@ -484,15 +503,25 @@ module.exports = function (app) {
             }
         });
 
+        const cachedResetCode = await getResetPasswordToken(cachedResetCodeKey(user.id));
+    
         // !user.passwordResetCode avoids the situation where passwordResetCode has not been sent (null), but user posts null to API
-        if (!user || !user.passwordResetCode) {
-            return res.badRequest('Invalid email, password or password reset code.');
+        if (
+              !user ||
+              !user.passwordResetCode ||
+              !cachedResetCode ||
+              user.passwordResetCode !== cachedResetCode
+        ) {
+            return res.badRequest(
+              "Invalid email, password or password reset code."
+            );
         }
 
         user.password = password; // Hash is created by the model hooks
-        user.passwordResetCode = true; // Model will generate new code so that old code cannot be used again - https://github.com/citizenos/citizenos-api/issues/68
 
-        await user.save({fields: ['password', 'passwordResetCode']});
+        await user.save({fields: ['password']});
+        await deleteResetPasswordToken(cachedResetCodeKey(user.id));
+
         //TODO: Logout all existing sessions for the User!
         return res.ok();
     }));