devsoc-unsw · lachlanshoesmith · Dec 12, 2024 · Nov 18, 2024 · Nov 18, 2024 · Nov 18, 2024
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -7,6 +7,7 @@ on:
       - feature/login
       - feature/event
       - feature/societyJoin
+      - feature/forgot-password
   pull_request:
     branches:
       - main

diff --git a/backend/.env.test b/backend/.env.test
@@ -2,4 +2,6 @@ DATABASE_URL="postgres://postgres:postgres@localhost:5432"
 DIRECT_URL="postgres://postgres:postgres@localhost:5432"
 NODE_ENV=test
 REDIS_PORT=6380
-SESSION_SECRET=notsecret
+SESSION_SECRET=notsecret
+OTP_EXPIRES=1
+CI=true
diff --git a/backend/package.json b/backend/package.json
@@ -5,8 +5,7 @@
   "main": "index.js",
   "scripts": {
     "start": "NODE_ENV=dev ts-node src/index.ts",
-    "start_win": "set NODE_ENV=dev && ts-node src/index.ts",
-    "test": "vitest",
+    "test": "vitest --inspect-brk --no-file-parallelism --disable-console-intercept",
     "test:int": "./scripts/run-integration.sh"
   },
   "keywords": [],
@@ -20,6 +19,8 @@
     "dayjs": "^1.11.13",
     "express": "^4.21.2",
     "express-session": "^1.18.1",
+    "form-data": "^4.0.1",
+    "mailgun.js": "^10.2.3",
     "prisma": "^5.22.0",
     "redis": "^4.7.0",
     "zod": "^3.23.8",

diff --git a/backend/pnpm-lock.yaml b/backend/pnpm-lock.yaml
diff --git a/.../migrations/20241211012529_/migration.sql → ...rations/20241211174724_init/migration.sql b/.../migrations/20241211012529_/migration.sql → ...rations/20241211174724_init/migration.sql
@@ -68,6 +68,12 @@ CREATE TABLE "_KeywordToUser" (
     "B" INTEGER NOT NULL
 );
 
+-- CreateIndex
+CREATE UNIQUE INDEX "User_username_key" ON "User"("username");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "User_email_key" ON "User"("email");
+
 -- CreateIndex
 CREATE UNIQUE INDEX "Society_name_key" ON "Society"("name");
 

diff --git a/backend/prisma/schema.prisma b/backend/prisma/schema.prisma
@@ -16,8 +16,8 @@ datasource db {
 
 model User {
   id             Int       @id @default(autoincrement())
-  username       String
-  email          String
+  username       String    @unique
+  email          String    @unique
   password       String
   salt           String
   dateJoined     DateTime
@@ -56,8 +56,8 @@ model Event {
 }
 
 model Keyword {
-  id        Int     @id @default(autoincrement())
-  text      String  @unique
+  id Int @id @default(autoincrement())
+  text String @unique
   subscribers User[]
-  events    Event[]
-}
+  events Event[]
+}
diff --git a/backend/src/index.ts b/backend/src/index.ts
@@ -18,6 +18,11 @@ import prisma from "./prisma";
 import RedisStore from "connect-redis";
 import { createClient } from "redis";
 import dayjs, { Dayjs } from "dayjs";
+import { generateOTP } from "./routes/OTP/generateOTP";
+import assert from "assert";
+import { verifyOTP } from "./routes/OTP/verifyOTP";
+import { findUserFromId, updateUserPasswordFromEmail } from "./routes/User/user";
+
 declare module "express-session" {
   interface SessionData {
     userId: number;
@@ -26,6 +31,7 @@ declare module "express-session" {
 
 // Initialize client.
 if (process.env["REDIS_PORT"] === undefined) {
+  console.log(process.env);
   console.error("Redis port not provided in .env file");
   process.exit(1);
 }
@@ -43,6 +49,7 @@ let redisStore = new RedisStore({
 
 const app = express();
 const SERVER_PORT = 5180;
+const SALT_ROUNDS = 10;
 
 app.use(cors());
 app.use(express.json());
@@ -96,7 +103,7 @@ app.post(
         .json({ error: "Account with same credentials already exists" });
     }
 
-    const saltRounds: number = 10;
+    const saltRounds: number = SALT_ROUNDS;
     const salt = await bcrypt.genSalt(saltRounds);
     const hashedPassword = await bcrypt.hash(password, salt);
 
@@ -122,6 +129,139 @@ app.post(
   }
 );
 
+app.post("/auth/otp/generate", async(req: Request, res: Response) => {
+  try {
+    const { email } : { email: string} = req.body;
+
+    if(!email) {
+      throw new Error("Email address expected.");
+    }
+
+    const token = await generateOTP(email); 
+
+    if (token) {
+      const expiryTime = process.env["OTP_EXPIRES"];
+
+      try {
+        await redisClient.set(email, token, { EX: parseInt(expiryTime as string) });
+      } catch {
+        console.error("OTP expiration time not set in environment variable.");
+      }
+
+      if(process.env["CI"]) {
+        return res.status(200).json({message: token});
+      }
+      return res.status(200).json({ message: "ok" });
+    } else {
+      return res.status(400).json( {message: "Unexpected error while generating OTP."} );
+    }
+
+  } catch(error) {
+    return res.status(400).json({ message: (error as Error).message });
+  }
+});
+
+app.post("/auth/otp/verify", async(req: Request, res: Response) => {
+  try {
+    const { email, token } = req.body;
+
+    if(!email) {
+      throw new Error("Email address expected.");
+    }
+
+    if(!token) {
+      throw new Error("One time code expected.");
+    }
+
+    const otp  = await redisClient.get(email);
+
+    verifyOTP(token, otp);
+
+    const expiryTime = process.env["OTP_EXPIRES"];
+
+    try {
+      await redisClient.set(email, token, { EX: parseInt(expiryTime as string) });
+    } catch {
+      console.error("OTP expiration time not set in environment variable.");
+    }
+
+    return res.status(200).json({message: "ok" });
+
+  } catch (error) {
+    return res.status(400).json({ message: (error as Error).message });
+  }
+});
+
+app.post("/auth/password/forgot", async(req: Request, res: Response) => {
+  try {
+    const { email, token, newPassword } = req.body;
+
+    if(!email) {
+      throw new Error("Email is expected.");
+    }
+
+    if(!token) {
+      throw new Error("One time code required to reset password.");
+    }
+
+    if(!newPassword) {
+      throw new Error("New password is invalid.");
+    }
+
+    const otp = await redisClient.get(email);
+
+    verifyOTP(token, otp);
+
+    await updateUserPasswordFromEmail(email, newPassword, SALT_ROUNDS);
+
+    return res.status(200).json({message: "ok"});
+
+  } catch (error) {
+    return res.status(400).json({ message: `Unable to update password. ${(error as Error).message}`});
+  }
+});
+
+app.post("/auth/password/update", async(req: Request, res: Response) => {
+  try {
+    const { oldPassword, newPassword } = req.body;
+
+    if(!oldPassword) {
+      throw new Error("Unable to validate existing password.");
+    }
+
+    if(!newPassword) {
+      throw new Error("Invalid new password.");
+    }
+
+    const currentId = req.session.userId;
+
+    if(!currentId) {
+      throw new Error("Invalid session.");
+    }
+
+
+    // validate old password
+    const user = await findUserFromId(currentId);
+
+    const validPassword = await bcrypt.compare(oldPassword, user.password);
+    if (!validPassword) {
+      throw new Error("Current password is incorrect.");
+    }
+
+    // save new password
+    await updateUserPasswordFromEmail(user.email, newPassword, SALT_ROUNDS);
+
+    // refresh session
+    req.session.cookie.expires = dayjs().add(1, "week").toDate();
+    req.session.save();
+
+    return res.status(200).json({message: "ok"});
+
+  } catch (error) {
+    return res.status(400).json({ message: `Unable to update password. ${(error as Error).message}`});
+  }
+})
+
 app.post("/auth/login", async (req: TypedRequest<LoginBody>, res: Response) => {
   try {
     const { username, password } = req.body;