@flink-app/generic-auth-plugin 0.11.15 → 0.11.17

package/.flink/generatedHandlers.ts

@@ -1,4 +1,4 @@
-// Generated Tue Feb 25 2025 10:27:54 GMT+0100 (Central European Standard Time)
+// Generated Wed Mar 12 2025 11:24:56 GMT+0100 (Central European Standard Time)
 import { autoRegisteredHandlers, HttpMethod } from "@flink-app/flink";
 import * as UserCreate_0 from "../src/handlers/UserCreate";
 import * as UserLogin_0 from "../src/handlers/UserLogin";

package/.flink/generatedJobs.ts

@@ -1,4 +1,4 @@
-// Generated Tue Feb 25 2025 10:27:54 GMT+0100 (Central European Standard Time)
+// Generated Wed Mar 12 2025 11:24:56 GMT+0100 (Central European Standard Time)
 import { autoRegisteredJobs } from "@flink-app/flink";
 export const jobs = [];
 autoRegisteredJobs.push(...jobs);

package/.flink/generatedRepos.ts

@@ -1,4 +1,4 @@
-// Generated Tue Feb 25 2025 10:27:54 GMT+0100 (Central European Standard Time)
+// Generated Wed Mar 12 2025 11:24:56 GMT+0100 (Central European Standard Time)
   import { autoRegisteredRepos } from "@flink-app/flink";
   export const repos = [];
   autoRegisteredRepos.push(...repos);

package/.flink/schemas/schemas.ts

@@ -29,7 +29,7 @@ import { PutManagementUserRolesByUseridRes } from "../../src/schemas/Management/
 import { PutManagementUserUsernameByUseridReq } from "../../src/schemas/Management/PutUserUsernameByUseridReq";
 import { PutManagementUserUsernameByUseridRes } from "../../src/schemas/Management/PutUserUsernameByUseridRes";
 
-// Generated Tue Feb 25 2025 10:27:54 GMT+0100 (Central European Standard Time)
+// Generated Wed Mar 12 2025 11:24:57 GMT+0100 (Central European Standard Time)
 export interface UserCreate_7_ReqSchema extends UserCreateReq {}
 
 export interface UserCreate_7_ResSchema extends UserCreateRes {}

package/.flink/start.ts

@@ -1,4 +1,4 @@
-// Generated Tue Feb 25 2025 10:27:54 GMT+0100 (Central European Standard Time)
+// Generated Wed Mar 12 2025 11:24:56 GMT+0100 (Central European Standard Time)
 import "./generatedHandlers";
 import "./generatedRepos";
 import "./generatedJobs";

package/CLAUDE.md

@@ -0,0 +1,32 @@
+# CLAUDE.md - Guidelines for Generic Auth Plugin
+
+## Build Commands
+- Build: `npm run build` (runs `flink build`)
+- Watch mode: `npm run watch` (uses nodemon to watch files and trigger builds)
+- Publish: `npm run prepublish` (runs build before publishing)
+
+## Code Style
+
+### TypeScript
+- Target: ES5, CommonJS modules, strict typing enabled
+- Keep type definitions in separate schema files in the `/schemas` directory
+- Use explicit return types on all functions (eg: `Promise<UserLoginRes>`)
+- Always handle optionality with `?` and `undefined`/`null` checks
+
+### Naming Conventions
+- camelCase for variables, functions, and methods
+- PascalCase for interfaces and types
+- Request types use `Req` suffix (UserLoginReq)
+- Response types use `Res` suffix (UserLoginRes)
+- Handler files match their function name (UserLogin.ts)
+
+### Error Handling
+- Use structured error responses with status fields and messages
+- Return typed response objects rather than throwing exceptions
+- Use try/catch blocks for operations that might fail (JWT verification)
+
+### Code Structure
+- Group imports: framework first, then local, then third-party
+- Separate authentication methods and utility functions
+- Use standard 4-space indentation with semicolons
+- Maintain consistent function parameter ordering

package/dist/.flink/generatedHandlers.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.handlers = void 0;
-// Generated Tue Feb 25 2025 10:27:54 GMT+0100 (Central European Standard Time)
+// Generated Wed Mar 12 2025 11:24:56 GMT+0100 (Central European Standard Time)
 var flink_1 = require("@flink-app/flink");
 exports.handlers = [];
 flink_1.autoRegisteredHandlers.push.apply(flink_1.autoRegisteredHandlers, exports.handlers);

package/dist/.flink/generatedJobs.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.jobs = void 0;
-// Generated Tue Feb 25 2025 10:27:54 GMT+0100 (Central European Standard Time)
+// Generated Wed Mar 12 2025 11:24:56 GMT+0100 (Central European Standard Time)
 var flink_1 = require("@flink-app/flink");
 exports.jobs = [];
 flink_1.autoRegisteredJobs.push.apply(flink_1.autoRegisteredJobs, exports.jobs);

package/dist/.flink/generatedRepos.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.repos = void 0;
-// Generated Tue Feb 25 2025 10:27:54 GMT+0100 (Central European Standard Time)
+// Generated Wed Mar 12 2025 11:24:56 GMT+0100 (Central European Standard Time)
 var flink_1 = require("@flink-app/flink");
 exports.repos = [];
 flink_1.autoRegisteredRepos.push.apply(flink_1.autoRegisteredRepos, exports.repos);

package/dist/.flink/start.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-// Generated Tue Feb 25 2025 10:27:54 GMT+0100 (Central European Standard Time)
+// Generated Wed Mar 12 2025 11:24:56 GMT+0100 (Central European Standard Time)
 require("./generatedHandlers");
 require("./generatedRepos");
 require("./generatedJobs");

package/dist/src/coreFunctions.d.ts

@@ -16,6 +16,8 @@ export declare function createUser(repo: FlinkRepo<any, User>, auth: JwtAuthPlug
         hash: string;
         salt: string;
     } | null>;
+}, onUserCreated?: {
+    (user: User): Promise<void>;
 }): Promise<UserCreateRes>;
 export declare function loginByToken(repo: FlinkRepo<any, User>, auth: JwtAuthPlugin, token: string, code: string, jwtSecret: string): Promise<UserLoginRes>;
 export declare function loginUser(repo: FlinkRepo<any, User>, auth: JwtAuthPlugin, username: string, password: string | undefined, validatePasswordMethod?: {
@@ -29,10 +31,10 @@ export declare function changePassword(repo: FlinkRepo<any, User>, auth: JwtAuth
         salt: string;
     } | null>;
 }): Promise<UserPasswordChangeRes>;
-export declare function passwordResetStart(repo: FlinkRepo<any, User>, auth: JwtAuthPlugin, jwtSecret: string, username: string, numberOfDigits?: number, lifeTime?: string): Promise<UserPasswordResetStartRes>;
+export declare function passwordResetStart(repo: FlinkRepo<any, User>, auth: JwtAuthPlugin, jwtSecret: string, username: string, numberOfDigits?: number, lifeTime?: string, passwordResetReusableTokens?: boolean): Promise<UserPasswordResetStartRes>;
 export declare function passwordResetComplete(repo: FlinkRepo<any, User>, auth: JwtAuthPlugin, jwtSecret: string, passwordResetToken: string, code: string, newPassword: string, createPasswordHashAndSaltMethod?: {
     (password: string): Promise<{
         hash: string;
         salt: string;
     } | null>;
-}): Promise<UserPasswordResetCompleteRes>;
+}, passwordResetReusableTokens?: boolean): Promise<UserPasswordResetCompleteRes>;

package/dist/src/coreFunctions.js

@@ -70,7 +70,7 @@ function getJtwTokenPlugin(secret, rolePermissions, passwordPolicy, tokenTTL) {
     });
 }
 exports.getJtwTokenPlugin = getJtwTokenPlugin;
-function createUser(repo, auth, username, password, authentificationMethod, roles, profile, createPasswordHashAndSaltMethod) {
+function createUser(repo, auth, username, password, authentificationMethod, roles, profile, createPasswordHashAndSaltMethod, onUserCreated) {
     return __awaiter(this, void 0, void 0, function () {
         var existingUser, userData, passwordAndSalt, user, token;
         return __generator(this, function (_a) {
@@ -116,8 +116,13 @@ function createUser(repo, auth, username, password, authentificationMethod, role
                 case 6: return [4 /*yield*/, repo.create(userData)];
                 case 7:
                     user = _a.sent();
-                    return [4 /*yield*/, auth.createToken({ username: username.toLowerCase(), _id: user._id }, roles)];
+                    if (!onUserCreated) return [3 /*break*/, 9];
+                    return [4 /*yield*/, onUserCreated(user)];
                 case 8:
+                    _a.sent();
+                    _a.label = 9;
+                case 9: return [4 /*yield*/, auth.createToken({ username: username.toLowerCase(), _id: user._id }, roles)];
+                case 10:
                     token = _a.sent();
                     if (user.authentificationMethod == "sms") {
                         return [2 /*return*/, {
@@ -300,9 +305,10 @@ function changePassword(repo, auth, userId, newPassword, createPasswordHashAndSa
     });
 }
 exports.changePassword = changePassword;
-function passwordResetStart(repo, auth, jwtSecret, username, numberOfDigits, lifeTime) {
+function passwordResetStart(repo, auth, jwtSecret, username, numberOfDigits, lifeTime, passwordResetReusableTokens) {
+    if (passwordResetReusableTokens === void 0) { passwordResetReusableTokens = true; }
     return __awaiter(this, void 0, void 0, function () {
-        var user, fakepayload, fakeToken, payload, code, secret, options, token;
+        var user, fakepayload, fakeToken, payload, code, pwdResetStartedAt, secret, options, token;
         return __generator(this, function (_a) {
             switch (_a.label) {
                 case 0: return [4 /*yield*/, repo.getOne({ username: username.toLowerCase() })];
@@ -328,7 +334,17 @@ function passwordResetStart(repo, auth, jwtSecret, username, numberOfDigits, lif
                         username: username.toLocaleLowerCase(),
                     };
                     code = generate(numberOfDigits);
+                    pwdResetStartedAt = new Date().toISOString();
+                    if (!passwordResetReusableTokens) return [3 /*break*/, 2];
                     secret = jwtSecret + ":" + code;
+                    return [3 /*break*/, 4];
+                case 2:
+                    secret = jwtSecret + ":" + code + ":" + pwdResetStartedAt;
+                    return [4 /*yield*/, repo.updateOne(user._id, { pwdResetStartedAt: pwdResetStartedAt })];
+                case 3:
+                    _a.sent();
+                    _a.label = 4;
+                case 4:
                     options = {
                         expiresIn: lifeTime,
                     };
@@ -344,28 +360,36 @@ function passwordResetStart(repo, auth, jwtSecret, username, numberOfDigits, lif
     });
 }
 exports.passwordResetStart = passwordResetStart;
-function passwordResetComplete(repo, auth, jwtSecret, passwordResetToken, code, newPassword, createPasswordHashAndSaltMethod) {
+function passwordResetComplete(repo, auth, jwtSecret, passwordResetToken, code, newPassword, createPasswordHashAndSaltMethod, passwordResetReusableTokens) {
+    if (passwordResetReusableTokens === void 0) { passwordResetReusableTokens = true; }
     return __awaiter(this, void 0, void 0, function () {
-        var payload, secret, user, passwordAndSalt;
+        var payload, user, secret, passwordAndSalt;
         return __generator(this, function (_a) {
             switch (_a.label) {
                 case 0:
-                    payload = { type: "", username: "" };
-                    try {
-                        secret = jwtSecret + ":" + code;
-                        payload = jsonwebtoken_1.default.verify(passwordResetToken, secret);
-                    }
-                    catch (ex) {
+                    payload = jsonwebtoken_1.default.decode(passwordResetToken);
+                    if (!payload || !payload.username)
                         return [2 /*return*/, { status: "invalidCode" }];
-                    }
                     return [4 /*yield*/, repo.getOne({ username: payload.username })];
                 case 1:
                     user = _a.sent();
-                    if (user == null) {
+                    if (!user || user == null || user.authentificationMethod != "password") {
                         return [2 /*return*/, { status: "userNotFound" }];
                     }
-                    if (user.authentificationMethod != "password") {
-                        return [2 /*return*/, { status: "userNotFound" }];
+                    if (passwordResetReusableTokens === true) {
+                        secret = jwtSecret + ":" + code;
+                    }
+                    else {
+                        if (!user.pwdResetStartedAt || user.pwdResetStartedAt === null) {
+                            return [2 /*return*/, { status: "userNotFound" }];
+                        }
+                        secret = jwtSecret + ":" + code + ":" + user.pwdResetStartedAt;
+                    }
+                    try {
+                        jsonwebtoken_1.default.verify(passwordResetToken, secret);
+                    }
+                    catch (ex) {
+                        return [2 /*return*/, { status: "invalidCode" }];
                     }
                     passwordAndSalt = null;
                     if (!(createPasswordHashAndSaltMethod == null)) return [3 /*break*/, 3];
@@ -386,6 +410,7 @@ function passwordResetComplete(repo, auth, jwtSecret, passwordResetToken, code,
                     return [4 /*yield*/, repo.updateOne(user._id, {
                             password: passwordAndSalt.hash,
                             salt: passwordAndSalt.salt,
+                            pwdResetStartedAt: null
                         })];
                 case 6:
                     _a.sent();

package/dist/src/genericAuthContext.d.ts

@@ -20,20 +20,20 @@ export interface genericAuthContext {
                 hash: string;
                 salt: string;
             } | null>;
-        }): Promise<UserCreateRes>;
+        }, onUserCreated?: (user: User) => Promise<void>): Promise<UserCreateRes>;
         changePassword(repo: FlinkRepo<any, User>, auth: JwtAuthPlugin, userId: string, newPassword: string, createPasswordHashAndSaltMethod?: {
             (password: string): Promise<{
                 hash: string;
                 salt: string;
             } | null>;
         }): Promise<UserPasswordChangeRes>;
-        passwordResetStart(repo: FlinkRepo<any, User>, auth: JwtAuthPlugin, jwtSecret: string, username: string, numberOfDigits?: number, lifeTime?: string): Promise<UserPasswordResetStartRes>;
+        passwordResetStart(repo: FlinkRepo<any, User>, auth: JwtAuthPlugin, jwtSecret: string, username: string, numberOfDigits?: number, lifeTime?: string, passwordResetReusableTokens?: boolean): Promise<UserPasswordResetStartRes>;
         passwordResetComplete(repo: FlinkRepo<any, User>, auth: JwtAuthPlugin, jwtSecret: string, passwordResetToken: string, code: string, newPassword: string, createPasswordHashAndSaltMethod?: {
             (password: string): Promise<{
                 hash: string;
                 salt: string;
             } | null>;
-        }): Promise<UserPasswordResetCompleteRes>;
+        }, passwordResetReusableTokens?: boolean): Promise<UserPasswordResetCompleteRes>;
         repoName: string;
         passwordResetSettings?: UserPasswordResetSettings;
         createPasswordHashAndSaltMethod?: {
@@ -50,5 +50,8 @@ export interface genericAuthContext {
         onSuccessfulLogin?: {
             (user: User): Promise<void>;
         };
+        onUserCreated?: {
+            (user: User): Promise<void>;
+        };
     };
 }

package/dist/src/genericAuthPluginOptions.d.ts

@@ -5,6 +5,7 @@ export interface GenericAuthPluginOptions {
     repoName: string;
     enableRoutes?: boolean;
     enablePasswordReset?: boolean;
+    passwordResetReusableTokens?: boolean;
     enablePushNotificationTokens?: boolean;
     passwordResetSettings?: UserPasswordResetSettings;
     enableUserCreation?: boolean;
@@ -27,6 +28,9 @@ export interface GenericAuthPluginOptions {
     onSuccessfulLogin?: {
         (user: User): Promise<void>;
     };
+    onUserCreated?: {
+        (user: User): Promise<void>;
+    };
     /**
      * If true, when a new device is registered, all other devices identified by `deviceId`
      * will be deregistered to avoid duplicate notifications.

package/dist/src/handlers/UserCreate.js

@@ -64,7 +64,7 @@ var userCreateHandler = function (_a) {
                     if (!re.test(username)) {
                         return [2 /*return*/, flink_1.badRequest("Username does not meet requirements", "usernameError")];
                     }
-                    return [4 /*yield*/, ctx.plugins.genericAuthPlugin.createUser(repo, ctx.auth, username.toLocaleLowerCase(), password, authentificationMethod, roles, profile, ctx.plugins.genericAuthPlugin.createPasswordHashAndSaltMethod)];
+                    return [4 /*yield*/, ctx.plugins.genericAuthPlugin.createUser(repo, ctx.auth, username.toLocaleLowerCase(), password, authentificationMethod, roles, profile, ctx.plugins.genericAuthPlugin.createPasswordHashAndSaltMethod, ctx.plugins.genericAuthPlugin.onUserCreated)];
                 case 1:
                     createUserResponse = _c.sent();
                     if (createUserResponse.status != "success") {

package/dist/src/handlers/UserPasswordResetComplete.js

@@ -51,7 +51,7 @@ var postPasswordResetCompleteHandler = function (_a) {
                         return [2 /*return*/, flink_1.internalServerError("Password reset settings is needed to use password-reset")];
                     }
                     jwtSecret = ctx.plugins[pluginName].passwordResetSettings.code.jwtSecret;
-                    return [4 /*yield*/, ctx.plugins.genericAuthPlugin.passwordResetComplete(repo, ctx.auth, jwtSecret, req.body.passwordResetToken, req.body.code, req.body.password, ctx.plugins.genericAuthPlugin.createPasswordHashAndSaltMethod)];
+                    return [4 /*yield*/, ctx.plugins.genericAuthPlugin.passwordResetComplete(repo, ctx.auth, jwtSecret, req.body.passwordResetToken, req.body.code, req.body.password, ctx.plugins.genericAuthPlugin.createPasswordHashAndSaltMethod, ctx.plugins.genericAuthPlugin.passwordResetSettings.passwordResetReusableTokens)];
                 case 1:
                     resp = _b.sent();
                     switch (resp.status) {

package/dist/src/handlers/UserPasswordResetForm.d.ts

@@ -6,4 +6,5 @@ export declare function handleUserPasswordResetForm(_req: ExpressRequest, res: E
 export declare function resetPasswordFormScript(req: ExpressRequest, res: ExpressResponse, { completeUrl }: {
     completeUrl: string;
 }): Promise<void>;
+export declare function resetPasswordFormCss(res: ExpressResponse): Promise<void>;
 export declare const __assumedHttpMethod = "", __file = "UserPasswordResetForm.ts", __query: never[], __params: never[];

package/dist/src/handlers/UserPasswordResetForm.js

@@ -39,12 +39,13 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.__params = exports.__query = exports.__file = exports.__assumedHttpMethod = exports.resetPasswordFormScript = exports.handleUserPasswordResetForm = void 0;
+exports.__params = exports.__query = exports.__file = exports.__assumedHttpMethod = exports.resetPasswordFormCss = exports.resetPasswordFormScript = exports.handleUserPasswordResetForm = void 0;
 var promises_1 = __importDefault(require("fs/promises"));
 var flink_1 = require("@flink-app/flink");
 var handlebars_1 = __importDefault(require("handlebars"));
-var defaultTemplate = "<html>\n<head>\n  <title>Password reset</title>\n  <style>\n    * {\n      box-sizing: border-box;\n      font-family: Arial, Helvetica, sans-serif;\n    }\n\n    p {\n      margin: 0.5rem 0;\n    }\n\n    body {\n      padding: 1rem;\n    }\n\n    form {\n      display: block;\n      max-width: 320px;\n    }\n\n    input {\n      width: 100%;\n      display: block;\n      margin: 0.5rem 0;\n    }\n\n    #success {\n      display: none;\n      font-size: 1.2rem;\n      color: rgb(0, 177, 115);\n      max-width: 350px;\n    }\n  </style>\n  <script src=\"form/script.js\" type=\"text/javascript\"></script>\n</head>\n<body>\n  <form id=\"form\">\n    <p>Please enter new password</p>\n    <input type=\"password\" name=\"password\" placeholder=\"Enter new password\" />\n    <input\n      type=\"password\"\n      name=\"confirmPassword\"\n      placeholder=\"Confirm new password\"\n    />\n    <button id=\"submit-btn\">Submit</button>\n  </form>\n  <div id=\"success\">Password has been updated, please proceed to login.</div>\n</body>\n</html>\n";
+var defaultTemplate = "<html>\n<head>\n  <title>Password reset</title>\n  <link rel=\"stylesheet\" href=\"form/style.css\" />\n  <script src=\"form/script.js\" type=\"text/javascript\"></script>\n</head>\n<body>\n  <form id=\"form\">\n    <p>Please enter new password</p>\n    <input type=\"password\" name=\"password\" placeholder=\"Enter new password\" />\n    <input\n      type=\"password\"\n      name=\"confirmPassword\"\n      placeholder=\"Confirm new password\"\n    />\n    <button id=\"submit-btn\">Submit</button>\n  </form>\n  <div id=\"success\">Password has been updated, please proceed to login.</div>\n</body>\n</html>\n";
 var script = "\n      window.onload = () => {\n      const urlSearchParams = new URLSearchParams(window.location.search);\n      const params = Object.fromEntries(urlSearchParams.entries());\n      const { token, code } = params;\n\n      if (!token) {\n        alert(\"Missing token\");\n      } else if (!code) {\n        alert(\"Missing code\");\n      }\n\n      const submitBtnEl = document.getElementById(\"submit-btn\");\n      const [passwordInputEl, confirmPasswordEl] =\n        document.getElementsByTagName(\"input\");\n\n      submitBtnEl.onclick = async (e) => {\n        e.preventDefault();\n        e.stopPropagation();\n\n        if (!passwordInputEl.value) {\n          return alert(\"Enter a new password\");\n        } else if (passwordInputEl.value !== confirmPasswordEl.value) {\n          return alert(\n            \"Passwords does not match, make sure that new and confirmed passwords are the same\"\n          );\n        }\n\n        const res = await window.fetch(\"{{completeUrl}}\", {\n          method: \"POST\",\n          headers: {\n            Accept: \"application/json\",\n            \"Content-Type\": \"application/json\",\n          },\n          body: JSON.stringify({\n            passwordResetToken: token,\n            code: code,\n            password: passwordInputEl.value,\n          }),\n        });\n\n        if (res.status > 399) {\n          alert(\"Failed to set new password\");\n        } else {\n          document.getElementById(\"form\").style.display = \"none\";\n          document.getElementById(\"success\").style.display = \"block\";\n        }\n      };\n    };\n";
+var style = " * {\n      box-sizing: border-box;\n      font-family: Arial, Helvetica, sans-serif;\n    }\n\n    p {\n      margin: 0.5rem 0;\n    }\n\n    body {\n      padding: 1rem;\n    }\n\n    form {\n      display: block;\n      max-width: 320px;\n    }\n\n    input {\n      width: 100%;\n      display: block;\n      margin: 0.5rem 0;\n    }\n\n    #success {\n      display: none;\n      font-size: 1.2rem;\n      color: rgb(0, 177, 115);\n      max-width: 350px;\n    }\n";
 function handleUserPasswordResetForm(_req, res, _a) {
     var templateFile = _a.templateFile, completeUrl = _a.completeUrl;
     return __awaiter(this, void 0, void 0, function () {
@@ -77,6 +78,16 @@ function resetPasswordFormScript(req, res, _a) {
     });
 }
 exports.resetPasswordFormScript = resetPasswordFormScript;
+function resetPasswordFormCss(res) {
+    return __awaiter(this, void 0, void 0, function () {
+        return __generator(this, function (_a) {
+            res.header("Content-Type", "text/css");
+            res.send(style);
+            return [2 /*return*/];
+        });
+    });
+}
+exports.resetPasswordFormCss = resetPasswordFormCss;
 var cachedTemplate = "";
 function readTemplate(templateFilename) {
     return __awaiter(this, void 0, void 0, function () {

package/dist/src/handlers/UserPasswordResetStart.js

@@ -60,7 +60,7 @@ var postPasswordResetStartHandler = function (_a) {
                         return [2 /*return*/, flink_1.internalServerError("Password reset settings is needed to use /password/reset")];
                     }
                     _b = genericAuthPlugin.passwordResetSettings.code, jwtSecret = _b.jwtSecret, numberOfDigits = _b.numberOfDigits, lifeTime = _b.lifeTime;
-                    return [4 /*yield*/, genericAuthPlugin.passwordResetStart(repo, ctx.auth, jwtSecret, req.body.username, numberOfDigits, lifeTime)];
+                    return [4 /*yield*/, genericAuthPlugin.passwordResetStart(repo, ctx.auth, jwtSecret, req.body.username, numberOfDigits, lifeTime, genericAuthPlugin.passwordResetSettings.passwordResetReusableTokens)];
                 case 1:
                     resp = _d.sent();
                     if (resp.status != "success") {

package/dist/src/init.js

@@ -34,7 +34,7 @@ var postUserRemoveTokenHandler = __importStar(require("./handlers/UserPushRemove
 var getUserTokenHandler = __importStar(require("./handlers/UserToken"));
 var UserPasswordResetForm_1 = require("./handlers/UserPasswordResetForm");
 function init(app, options) {
-    var _a, _b, _c;
+    var _a, _b, _c, _d;
     if (options.enableUserCreation == null)
         options.enableUserCreation = true;
     if (options.enableProfileUpdate == null)
@@ -124,7 +124,10 @@ function init(app, options) {
                     });
                 });
                 (_c = app.expressApp) === null || _c === void 0 ? void 0 : _c.get(options.baseUrl + "/password/reset/form/script.js", function (req, res) {
-                    UserPasswordResetForm_1.resetPasswordFormScript(req, res, { completeUrl: options.baseUrl + "/password/reset/complete", });
+                    UserPasswordResetForm_1.resetPasswordFormScript(req, res, { completeUrl: options.baseUrl + "/password/reset/complete" });
+                });
+                (_d = app.expressApp) === null || _d === void 0 ? void 0 : _d.get(options.baseUrl + "/password/reset/form/style.css", function (req, res) {
+                    UserPasswordResetForm_1.resetPasswordFormCss(res);
                 });
             }
         }

package/dist/src/schemas/User.d.ts

@@ -5,6 +5,7 @@ export interface User {
     username: string;
     password?: string;
     salt?: string;
+    pwdResetStartedAt?: string;
     roles: string[];
     authentificationMethod: "password" | "sms";
     profile: UserProfile;

package/dist/src/schemas/UserPasswordResetSettings.d.ts

@@ -20,5 +20,6 @@ export interface UserPasswordResetSettings {
     enablePasswordResetForm?: boolean;
     passwordResetForm?: string;
     resetPasswordFormBaseUrl?: string;
+    passwordResetReusableTokens?: boolean;
 }
 export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flink-app/generic-auth-plugin",
-  "version": "0.11.15",
+  "version": "0.11.17",
   "description": "Flink plugin that provides a generic user authentification solution.",
   "scripts": {
     "test": "echo \"Error: no test specified\"",
@@ -30,5 +30,5 @@
     "ts-node": "^9.1.1",
     "typescript": "^4.2.4"
   },
-  "gitHead": "0f29761331501ccb5678c5da6801fa12f9a23f9d"
+  "gitHead": "bd864fc2a0c9d7c266ee868041b1b00b7c339243"
 }

package/src/coreFunctions.ts

@@ -50,6 +50,9 @@ export async function createUser(
     profile: UserProfile,
     createPasswordHashAndSaltMethod?: {
         (password: string): Promise<{ hash: string; salt: string } | null>;
+    },
+    onUserCreated?: {
+        (user: User): Promise<void>;
     }
 ): Promise<UserCreateRes> {
     if (!roles.includes("user")) roles.push("user");
@@ -87,6 +90,10 @@ export async function createUser(
 
     const user = await repo.create(userData);
 
+    if (onUserCreated) {
+        await onUserCreated(user);
+    }
+
     const token = await auth.createToken({ username: username.toLowerCase(), _id: user._id }, roles);
 
     if (user.authentificationMethod == "sms") {
@@ -285,7 +292,8 @@ export async function passwordResetStart(
     jwtSecret: string,
     username: string,
     numberOfDigits?: number,
-    lifeTime?: string
+    lifeTime?: string,
+    passwordResetReusableTokens: boolean = true
 ): Promise<UserPasswordResetStartRes> {
     const user = await repo.getOne({ username: username.toLowerCase() });
 
@@ -295,8 +303,6 @@ export async function passwordResetStart(
     };
     const fakeToken = jsonwebtoken.sign(fakepayload, "fake_payload", { expiresIn: lifeTime });
 
-
-
     if (user == null) {
         return { status: "userNotFound", passwordResetToken : fakeToken };
     }
@@ -314,7 +320,14 @@ export async function passwordResetStart(
     };
     const code = generate(numberOfDigits);
 
-    const secret = jwtSecret + ":" + code;
+    const pwdResetStartedAt = new Date().toISOString();
+    let secret;
+    if(passwordResetReusableTokens) {
+        secret = jwtSecret + ":" + code;
+    } else {
+        secret = jwtSecret + ":" + code + ":" + pwdResetStartedAt;
+        await repo.updateOne(user._id, { pwdResetStartedAt });
+    }
 
     const options: jsonwebtoken.SignOptions = {
         expiresIn: lifeTime,
@@ -339,25 +352,38 @@ export async function passwordResetComplete(
     newPassword: string,
     createPasswordHashAndSaltMethod?: {
         (password: string): Promise<{ hash: string; salt: string } | null>;
-    }
+    },
+    passwordResetReusableTokens: boolean = true
 ): Promise<UserPasswordResetCompleteRes> {
-    let payload: { type: string; username: string } = { type: "", username: "" };
-    try {
-        const secret = jwtSecret + ":" + code;
-        payload = <{ type: string; username: string }>jsonwebtoken.verify(passwordResetToken, secret);
-    } catch (ex) {
+
+    const payload = <{ username:string }>jsonwebtoken.decode(passwordResetToken);
+
+    if(!payload || !payload.username)
         return { status: "invalidCode" };
-    }
 
     const user = await repo.getOne({ username: payload.username });
-    if (user == null) {
+
+    if (!user || user == null || user.authentificationMethod != "password") {
         return { status: "userNotFound" };
     }
 
-    if (user.authentificationMethod != "password") {
-        return { status: "userNotFound" };
+    let secret;
+    if (passwordResetReusableTokens === true) {
+        secret = jwtSecret + ":" + code;
+    } else {
+        if (!user.pwdResetStartedAt || user.pwdResetStartedAt === null) {
+            return { status: "userNotFound" };
+        }
+        secret = jwtSecret + ":" + code + ":" + user.pwdResetStartedAt;
     }
 
+    try {
+        jsonwebtoken.verify(passwordResetToken, secret);
+    } catch (ex) {
+        return { status: "invalidCode" };
+    }
+
+
     let passwordAndSalt = null;
 
     if (createPasswordHashAndSaltMethod == null) {
@@ -375,6 +401,7 @@ export async function passwordResetComplete(
     await repo.updateOne(user._id, {
         password: passwordAndSalt.hash,
         salt: passwordAndSalt.salt,
+        pwdResetStartedAt: null
     });
 
     return { status: "success" };

package/src/genericAuthContext.ts

@@ -1,32 +1,73 @@
-import { FlinkRepo  } from "@flink-app/flink";
+import { FlinkRepo } from "@flink-app/flink";
 import { JwtAuthPlugin } from "@flink-app/jwt-auth-plugin";
 import { User } from "./schemas/User";
 import { UserCreateRes } from "./schemas/UserCreateRes";
 import { UserLoginRes } from "./schemas/UserLoginRes";
 import { UserProfile } from "./schemas/UserProfile";
 import { UserPasswordChangeRes } from "./schemas/UserPasswordChangeRes";
-import { UserPasswordResetSettings} from "./schemas/UserPasswordResetSettings"
-import { UserPasswordResetStartRes } from "./schemas/UserPasswordResetStartRes"
-import { UserPasswordResetCompleteRes } from "./schemas/UserPasswordResetCompleteRes"
+import { UserPasswordResetSettings } from "./schemas/UserPasswordResetSettings";
+import { UserPasswordResetStartRes } from "./schemas/UserPasswordResetStartRes";
+import { UserPasswordResetCompleteRes } from "./schemas/UserPasswordResetCompleteRes";
 import { GenericAuthsmsOptions } from "./genericAuthPluginOptions";
 
-export interface genericAuthContext{
-    genericAuthPlugin : {
-
-    
-        loginUser( repo : FlinkRepo<any, User>, auth : JwtAuthPlugin, username : string, password? : string, validatePasswordMethod? : { (password : string, hash : string, salt : string) : Promise<boolean>  }, smsOptions? : GenericAuthsmsOptions, onSuccessfulLogin?: (user:User) => Promise<void> ) : Promise<UserLoginRes>,
-        loginByToken(repo: FlinkRepo<any, User>, auth: JwtAuthPlugin, token : string, code : string,  jwtSecret : string) : Promise<UserLoginRes>,
-        createUser( repo : FlinkRepo<any, User>, auth : JwtAuthPlugin, username : string, password : string, authentificationMethod : "password" | "sms",  roles : string[], profile : UserProfile, createPasswordHashAndSaltMethod? : { (password : string) : Promise<{ hash: string; salt: string;} | null>  }  ) : Promise<UserCreateRes>,
-        changePassword( repo : FlinkRepo<any, User>, auth : JwtAuthPlugin, userId : string, newPassword : string, createPasswordHashAndSaltMethod? : { (password : string) : Promise<{ hash: string; salt: string;} | null>  } ) : Promise<UserPasswordChangeRes>,
-        passwordResetStart( repo : FlinkRepo<any, User>, auth : JwtAuthPlugin, jwtSecret : string, username : string, numberOfDigits? : number, lifeTime? : string) : Promise<UserPasswordResetStartRes>,
-        passwordResetComplete( repo : FlinkRepo<any, User>, auth : JwtAuthPlugin, jwtSecret : string, passwordResetToken : string, code : string, newPassword : string, createPasswordHashAndSaltMethod? : { (password : string) : Promise<{ hash: string; salt: string;} | null>  } ) : Promise<UserPasswordResetCompleteRes>         
-        repoName : string,
-        passwordResetSettings? : UserPasswordResetSettings,
-        createPasswordHashAndSaltMethod? : { (password : string) : Promise<{ hash: string; salt: string;} | null>  },
-        validatePasswordMethod? : { (password : string, hash : string, salt : string) : Promise<boolean>  },
-        usernameFormat : RegExp      
-        smsOptions? : GenericAuthsmsOptions,
-        onSuccessfulLogin?: { (user:User) : Promise<void> }
-    }
-
+export interface genericAuthContext {
+    genericAuthPlugin: {
+        loginUser(
+            repo: FlinkRepo<any, User>,
+            auth: JwtAuthPlugin,
+            username: string,
+            password?: string,
+            validatePasswordMethod?: { (password: string, hash: string, salt: string): Promise<boolean> },
+            smsOptions?: GenericAuthsmsOptions,
+            onSuccessfulLogin?: (user: User) => Promise<void>
+        ): Promise<UserLoginRes>;
+        loginByToken(repo: FlinkRepo<any, User>, auth: JwtAuthPlugin, token: string, code: string, jwtSecret: string): Promise<UserLoginRes>;
+        createUser(
+            repo: FlinkRepo<any, User>,
+            auth: JwtAuthPlugin,
+            username: string,
+            password: string,
+            authentificationMethod: "password" | "sms",
+            roles: string[],
+            profile: UserProfile,
+            createPasswordHashAndSaltMethod?: {
+                (password: string): Promise<{ hash: string; salt: string } | null>;
+            },
+            onUserCreated?: (user: User) => Promise<void>
+        ): Promise<UserCreateRes>;
+        changePassword(
+            repo: FlinkRepo<any, User>,
+            auth: JwtAuthPlugin,
+            userId: string,
+            newPassword: string,
+            createPasswordHashAndSaltMethod?: { (password: string): Promise<{ hash: string; salt: string } | null> }
+        ): Promise<UserPasswordChangeRes>;
+        passwordResetStart(
+            repo: FlinkRepo<any, User>,
+            auth: JwtAuthPlugin,
+            jwtSecret: string,
+            username: string,
+            numberOfDigits?: number,
+            lifeTime?: string,
+            passwordResetReusableTokens?: boolean
+        ): Promise<UserPasswordResetStartRes>;
+        passwordResetComplete(
+            repo: FlinkRepo<any, User>,
+            auth: JwtAuthPlugin,
+            jwtSecret: string,
+            passwordResetToken: string,
+            code: string,
+            newPassword: string,
+            createPasswordHashAndSaltMethod?: { (password: string): Promise<{ hash: string; salt: string } | null> },
+            passwordResetReusableTokens?: boolean
+        ): Promise<UserPasswordResetCompleteRes>;
+        repoName: string;
+        passwordResetSettings?: UserPasswordResetSettings;
+        createPasswordHashAndSaltMethod?: { (password: string): Promise<{ hash: string; salt: string } | null> };
+        validatePasswordMethod?: { (password: string, hash: string, salt: string): Promise<boolean> };
+        usernameFormat: RegExp;
+        smsOptions?: GenericAuthsmsOptions;
+        onSuccessfulLogin?: { (user: User): Promise<void> };
+        onUserCreated?: { (user: User): Promise<void> };
+    };
 }

package/src/genericAuthPluginOptions.ts

@@ -5,6 +5,7 @@ export interface GenericAuthPluginOptions {
     repoName: string;
     enableRoutes?: boolean;
     enablePasswordReset?: boolean;
+    passwordResetReusableTokens?: boolean;
     enablePushNotificationTokens?: boolean;
     passwordResetSettings?: UserPasswordResetSettings;
     enableUserCreation?: boolean;
@@ -24,6 +25,9 @@ export interface GenericAuthPluginOptions {
     onSuccessfulLogin?: {
         (user: User): Promise<void>;
     };
+    onUserCreated?: {
+        (user: User): Promise<void>;
+    };
     /**
      * If true, when a new device is registered, all other devices identified by `deviceId`
      * will be deregistered to avoid duplicate notifications.

package/src/handlers/UserCreate.ts

@@ -35,7 +35,8 @@ const userCreateHandler: Handler<FlinkContext<genericAuthContext>, UserCreateReq
         authentificationMethod,
         roles,
         profile,
-        ctx.plugins.genericAuthPlugin.createPasswordHashAndSaltMethod
+        ctx.plugins.genericAuthPlugin.createPasswordHashAndSaltMethod,
+        ctx.plugins.genericAuthPlugin.onUserCreated
     );
     if (createUserResponse.status != "success") {
         switch (createUserResponse.status) {

package/src/handlers/UserPasswordResetComplete.ts

@@ -34,7 +34,8 @@ const postPasswordResetCompleteHandler: Handler<
     req.body.passwordResetToken,
     req.body.code,
     req.body.password,
-    ctx.plugins.genericAuthPlugin.createPasswordHashAndSaltMethod
+    ctx.plugins.genericAuthPlugin.createPasswordHashAndSaltMethod,
+    ctx.plugins.genericAuthPlugin.passwordResetSettings.passwordResetReusableTokens
   );
 
   switch (resp.status) {

package/src/handlers/UserPasswordResetForm.ts

@@ -6,38 +6,7 @@ import Handlebars from "handlebars";
 const defaultTemplate = `<html>
 <head>
   <title>Password reset</title>
-  <style>
-    * {
-      box-sizing: border-box;
-      font-family: Arial, Helvetica, sans-serif;
-    }
-
-    p {
-      margin: 0.5rem 0;
-    }
-
-    body {
-      padding: 1rem;
-    }
-
-    form {
-      display: block;
-      max-width: 320px;
-    }
-
-    input {
-      width: 100%;
-      display: block;
-      margin: 0.5rem 0;
-    }
-
-    #success {
-      display: none;
-      font-size: 1.2rem;
-      color: rgb(0, 177, 115);
-      max-width: 350px;
-    }
-  </style>
+  <link rel="stylesheet" href="form/style.css" />
   <script src="form/script.js" type="text/javascript"></script>
 </head>
 <body>
@@ -107,6 +76,38 @@ const script = `
     };
 `;
 
+const style =` * {
+      box-sizing: border-box;
+      font-family: Arial, Helvetica, sans-serif;
+    }
+
+    p {
+      margin: 0.5rem 0;
+    }
+
+    body {
+      padding: 1rem;
+    }
+
+    form {
+      display: block;
+      max-width: 320px;
+    }
+
+    input {
+      width: 100%;
+      display: block;
+      margin: 0.5rem 0;
+    }
+
+    #success {
+      display: none;
+      font-size: 1.2rem;
+      color: rgb(0, 177, 115);
+      max-width: 350px;
+    }
+`;
+
 export async function handleUserPasswordResetForm(
   _req: ExpressRequest,
   res: ExpressResponse,
@@ -127,6 +128,11 @@ export async function resetPasswordFormScript(req: ExpressRequest, res: ExpressR
     res.send(js);
 }
 
+export async function resetPasswordFormCss(res: ExpressResponse) {
+  res.header("Content-Type", "text/css");
+  res.send(style);
+}
+
 let cachedTemplate = "";
 
 async function readTemplate(templateFilename?: string) {

package/src/handlers/UserPasswordResetStart.ts

@@ -27,7 +27,7 @@ const postPasswordResetStartHandler: Handler<
 
     const { jwtSecret, numberOfDigits, lifeTime } = genericAuthPlugin.passwordResetSettings.code;
 
-    const resp = await genericAuthPlugin.passwordResetStart(repo, <JwtAuthPlugin>ctx.auth, jwtSecret, req.body.username, numberOfDigits, lifeTime);
+    const resp = await genericAuthPlugin.passwordResetStart(repo, <JwtAuthPlugin>ctx.auth, jwtSecret, req.body.username, numberOfDigits, lifeTime, genericAuthPlugin.passwordResetSettings.passwordResetReusableTokens);
 
     if (resp.status != "success") {
       return { data: { status: "success", passwordResetToken: resp.passwordResetToken } };

package/src/init.ts

@@ -11,7 +11,11 @@ import { GenericAuthPluginOptions } from "./genericAuthPluginOptions";
 import * as postUserPushRegisterTokenHandler from "./handlers/UserPushRegisterToken";
 import * as postUserRemoveTokenHandler from "./handlers/UserPushRemoveToken";
 import * as getUserTokenHandler from "./handlers/UserToken";
-import { handleUserPasswordResetForm, resetPasswordFormScript } from "./handlers/UserPasswordResetForm";
+import {
+  handleUserPasswordResetForm,
+  resetPasswordFormCss,
+  resetPasswordFormScript,
+} from "./handlers/UserPasswordResetForm";
 
 export function init(app: FlinkApp<any>, options: GenericAuthPluginOptions) {
   if (options.enableUserCreation == null) options.enableUserCreation = true;
@@ -110,7 +114,14 @@ export function init(app: FlinkApp<any>, options: GenericAuthPluginOptions) {
         app.expressApp?.get(
             options.baseUrl + "/password/reset/form/script.js",
             (req, res) => {
-              resetPasswordFormScript(req, res, { completeUrl: options.baseUrl + "/password/reset/complete", });
+              resetPasswordFormScript(req, res, { completeUrl: options.baseUrl + "/password/reset/complete"});
+            }
+        );
+
+        app.expressApp?.get(
+            options.baseUrl + "/password/reset/form/style.css",
+            (req, res) => {
+              resetPasswordFormCss(res);
             }
         );
       }

package/src/schemas/User.ts

@@ -8,6 +8,7 @@ export interface User {
     password?: string;
     salt? : string;
 
+    pwdResetStartedAt?: string;
     roles: string[];
     
     authentificationMethod : "password" | "sms";

package/src/schemas/UserPasswordResetSettings.ts

@@ -23,5 +23,6 @@ export interface UserPasswordResetSettings {
     enablePasswordResetForm?: boolean;
     passwordResetForm?: string;
     resetPasswordFormBaseUrl?: string;
+    passwordResetReusableTokens?: boolean;
 
 }