@hed-hog/core 0.0.276 → 0.0.278

package/hedhog/frontend/messages/en.json

@@ -208,7 +208,24 @@
     "roleRemoved": "Role removed successfully",
     "errorLoadingRoles": "Error loading roles",
     "errorAssigningRole": "Error assigning role",
-    "errorRemovingRole": "Error removing role"
+    "errorRemovingRole": "Error removing role",
+    "passwordResetTitle": "Password Reset",
+    "passwordResetDescription": "Generate a new password for this user.",
+    "passwordResetNotice": "After this reset, the user must change the password on the next login.",
+    "buttonResetPassword": "Reset Password",
+    "passwordResetDialogTitle": "Reset User Password",
+    "passwordResetDialogDescription": "A strong password is generated by default. You can edit it before confirming.",
+    "passwordResetFieldLabel": "New temporary password",
+    "buttonRegeneratePassword": "Regenerate password",
+    "passwordResetConfirm": "Confirm reset",
+    "passwordResetSubmitting": "Resetting...",
+    "passwordResetSuccess": "Password reset successfully.",
+    "passwordResultTitle": "Password Generated",
+    "passwordResultDescription": "Copy and share this password now. It will only be shown once.",
+    "buttonCopyPassword": "Copy password",
+    "passwordCopied": "Password copied to clipboard.",
+    "passwordCopyError": "Unable to copy password.",
+    "close": "Close"
   },
   "RolePage": {
     "title": "Roles Management",
@@ -401,6 +418,7 @@
     "passwordRequired": "Password is required",
     "passwordMinLength": "Password must be at least 6 characters long",
     "mfaVerificationMessage": "Enter the verification code",
+    "passwordResetRequiredMessage": "You must change your password before continuing.",
     "hidePassword": "Hide password",
     "showPassword": "Show password",
     "loginWith": "Sign in with"

package/hedhog/frontend/messages/pt.json

@@ -208,7 +208,24 @@
     "roleRemoved": "Cargo removido com sucesso",
     "errorLoadingRoles": "Erro ao carregar cargos",
     "errorAssigningRole": "Erro ao atribuir cargo",
-    "errorRemovingRole": "Erro ao remover cargo"
+    "errorRemovingRole": "Erro ao remover cargo",
+    "passwordResetTitle": "Redefinição de senha",
+    "passwordResetDescription": "Gere uma nova senha para este usuário.",
+    "passwordResetNotice": "Após essa redefinição, o usuário será obrigado a alterar a senha no próximo login.",
+    "buttonResetPassword": "Redefinir senha",
+    "passwordResetDialogTitle": "Redefinir senha do usuário",
+    "passwordResetDialogDescription": "Uma senha forte é gerada por padrão. Você pode editar antes de confirmar.",
+    "passwordResetFieldLabel": "Nova senha temporária",
+    "buttonRegeneratePassword": "Gerar outra senha",
+    "passwordResetConfirm": "Confirmar redefinição",
+    "passwordResetSubmitting": "Redefinindo...",
+    "passwordResetSuccess": "Senha redefinida com sucesso.",
+    "passwordResultTitle": "Senha gerada",
+    "passwordResultDescription": "Copie e compartilhe essa senha agora. Ela será exibida apenas uma vez.",
+    "buttonCopyPassword": "Copiar senha",
+    "passwordCopied": "Senha copiada para a área de transferência.",
+    "passwordCopyError": "Não foi possível copiar a senha.",
+    "close": "Fechar"
   },
   "RolePage": {
     "title": "Gerenciamento de Cargos",
@@ -401,6 +418,7 @@
     "passwordRequired": "Senha obrigatória",
     "passwordMinLength": "Senha mínima de 6 caracteres",
     "mfaVerificationMessage": "Digite o código de verificação",
+    "passwordResetRequiredMessage": "Você deve alterar sua senha antes de continuar.",
     "hidePassword": "Ocultar senha",
     "showPassword": "Mostrar senha",
     "loginWith": "Entrar com"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hed-hog/core",
-  "version": "0.0.276",
+  "version": "0.0.278",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "dependencies": {
@@ -31,11 +31,11 @@
     "speakeasy": "^2.0.0",
     "uuid": "^11.1.0",
     "@hed-hog/api-pagination": "0.0.6",
-    "@hed-hog/api-prisma": "0.0.5",
     "@hed-hog/api-types": "0.0.1",
+    "@hed-hog/api-prisma": "0.0.5",
     "@hed-hog/api-mail": "0.0.8",
-    "@hed-hog/api": "0.0.4",
-    "@hed-hog/api-locale": "0.0.13"
+    "@hed-hog/api-locale": "0.0.13",
+    "@hed-hog/api": "0.0.4"
   },
   "exports": {
     ".": {

package/src/auth/auth.controller.ts

@@ -1,18 +1,19 @@
 import { Public, Role, User, UserOptional } from '@hed-hog/api';
 import { Locale } from '@hed-hog/api-locale';
-import {
-  BadRequestException,
-  Body,
-  Controller,
-  forwardRef,
-  Get,
-  Headers,
-  Inject,
-  Ip,
-  Post,
-  Req,
-  Res
-} from '@nestjs/common';
+import {
+    BadRequestException,
+    Body,
+    Controller,
+    forwardRef,
+    Get,
+    Headers,
+    Inject,
+    Ip,
+    Post,
+    Req,
+    Res,
+    UnauthorizedException,
+} from '@nestjs/common';
 import { TokenService } from '../token/token.service';
 import { CreateWithEmailAndPasswordDTO } from '../user/dto/create-with-email-and-password.dto';
 import { UserService } from '../user/user.service';
@@ -123,7 +124,7 @@ export class AuthController {
     @Headers('user-agent') userAgent: string,
     @Res({ passthrough: true }) res,
   ) {
-    const { accessToken, refreshToken, session } = await this.service.verifyMfaCode(
+    const { accessToken, refreshToken, session, requiresPasswordReset } = await this.service.verifyMfaCode(
       locale,
       token,
       code,
@@ -133,7 +134,7 @@ export class AuthController {
     );
 
     await this.token.setRefreshTokenCookie(locale, res, refreshToken, session.expires_at);
-    return { accessToken, refreshToken };
+    return { accessToken, refreshToken, requiresPasswordReset };
   }
 
   @Public()
@@ -145,7 +146,7 @@ export class AuthController {
     @Headers('user-agent') userAgent: string,
     @Res({ passthrough: true }) res,
   ) {
-    const { accessToken, refreshToken, session } = await this.service.verifyMfaRecoveryCode(
+    const { accessToken, refreshToken, session, requiresPasswordReset } = await this.service.verifyMfaRecoveryCode(
       locale,
       token,
       code,
@@ -154,7 +155,7 @@ export class AuthController {
     );
 
     await this.token.setRefreshTokenCookie(locale, res, refreshToken, session.expires_at);
-    return { accessToken, refreshToken };
+    return { accessToken, refreshToken, requiresPasswordReset };
   }
 
   @Public()
@@ -184,7 +185,7 @@ export class AuthController {
     @Headers('user-agent') userAgent: string,
     @Res({ passthrough: true }) res,
   ) {
-    const { accessToken, refreshToken, session } = await this.service.verifyWebAuthnAuthentication(
+    const { accessToken, refreshToken, session, requiresPasswordReset } = await this.service.verifyWebAuthnAuthentication(
       locale,
       mfaToken,
       assertionResponse,
@@ -193,7 +194,7 @@ export class AuthController {
     );
 
     await this.token.setRefreshTokenCookie(locale, res, refreshToken, session.expires_at);
-    return { accessToken, refreshToken };
+    return { accessToken, refreshToken, requiresPasswordReset };
   }
 
   @Public()
@@ -215,7 +216,7 @@ export class AuthController {
   ) {
     const refreshToken = req.cookies['rt'] || refreshTokenFromBody;
     if (!refreshToken) {
-      throw new BadRequestException('Refresh token not provided');
+      throw new UnauthorizedException('Refresh token not provided');
     }
 
     await this.service.logout(res, req, refreshToken);

package/src/auth/auth.service.ts

@@ -1,13 +1,14 @@
 import { getLocaleText } from '@hed-hog/api-locale';
 import { PrismaService } from '@hed-hog/api-prisma';
 import { User } from '@hed-hog/api-types';
-import {
-  BadRequestException,
-  forwardRef,
-  Inject,
-  Injectable,
-  NotFoundException,
-} from '@nestjs/common';
+import {
+    BadRequestException,
+    forwardRef,
+    Inject,
+    Injectable,
+    NotFoundException,
+    UnauthorizedException,
+} from '@nestjs/common';
 import { ChallengeService } from '../challenge/challenge.service';
 import { MailService as MailManagerService } from '../mail/mail.service';
 import { SecurityService } from '../security/security.service';
@@ -54,6 +55,31 @@ export class AuthService {
 
   }
 
+  private hasPendingPasswordReset(user: User | any) {
+    return Boolean(
+      user?.user_credential?.some(
+        (credential) =>
+          credential.type === 'password' &&
+          credential.requires_reset === true &&
+          !credential.revoked_at,
+      ),
+    );
+  }
+
+  private async getRequiresPasswordResetByUserId(userId: number) {
+    const credential = await this.prisma.user_credential.findFirst({
+      where: {
+        user_id: userId,
+        type: 'password',
+        requires_reset: true,
+        revoked_at: null,
+      },
+      select: { id: true },
+    });
+
+    return Boolean(credential?.id);
+  }
+
   async requiresMfaForLogin(locale: string, email: string, user: any) {
 
     console.log('MFA required, setting up email MFA');
@@ -340,11 +366,13 @@ export class AuthService {
 
     await this.token.setRefreshTokenCookie(locale, res, refreshToken, session.expires_at);
 
+    const requiresPasswordReset = this.hasPendingPasswordReset(user);
+
     if (refreshToken) {
-      return { accessToken, refreshToken };
+      return { accessToken, refreshToken, requiresPasswordReset };
     }
 
-    return { accessToken };
+    return { accessToken, requiresPasswordReset };
   }
 
   async loginWithEmailAndPassword(
@@ -358,10 +386,17 @@ export class AuthService {
     const user = await this.user.findUserByEmail(locale, email);
 
     if (!user) throw new BadRequestException(getLocaleText('accessDenied', locale, 'Access denied.'));
+
+    console.debug({ user });
+
     const credentials = (user as unknown as User).user_credential?.filter((c) => c.type === 'password') || [];
+
+    console.debug({ credentials });
+
     const identifier = user.user_identifier?.find((i) => i.type === 'email' && i.value === email);
 
     if (!(await this.security.validatePassword(locale, credentials, password))) {
+      console.debug('Invalid password');
       throw new BadRequestException(getLocaleText('accessDenied', locale, 'Access denied.'));
     }
 
@@ -435,14 +470,18 @@ export class AuthService {
 
   async verifyUser(locale: string, userId: number) {
     const user = await this.user.findUserById(locale, userId);
+    const requiresPasswordReset = this.hasPendingPasswordReset(user);
     delete user.user_credential;
-    return user;
+    return {
+      ...user,
+      requires_password_reset: requiresPasswordReset,
+    };
   }
 
   async refreshAccessToken(locale: string, refreshToken: string, ipAddress: string, userAgent: string) {
 
     if (!refreshToken) {
-      throw new BadRequestException(getLocaleText('accessDenied', locale, 'Access denied.'));
+      throw new UnauthorizedException(getLocaleText('accessDenied', locale, 'Access denied.'));
     }
 
     const { session, token } = await this.session.refresh(
@@ -492,7 +531,7 @@ export class AuthService {
           }
         }
       },
-      data: { hash: passwordHash },
+      data: { hash: passwordHash, requires_reset: false },
     });
 
     const userIdentifier = await this.prisma.user_identifier.findFirst({
@@ -646,7 +685,10 @@ export class AuthService {
     );
 
     await this.user.registerUserActivity(user.id, "login");
-    return { accessToken, refreshToken, session };
+    const requiresPasswordReset = await this.getRequiresPasswordResetByUserId(
+      user.id,
+    );
+    return { accessToken, refreshToken, session, requiresPasswordReset };
   }
 
   async verifyMfaRecoveryCode(locale: string, mfaToken: string, recoveryCode: string, ipAddress: string, userAgent: string) {
@@ -685,7 +727,10 @@ export class AuthService {
     );
 
     await this.user.registerUserActivity(user.id, "login");
-    return { accessToken, refreshToken, session };
+    const requiresPasswordReset = await this.getRequiresPasswordResetByUserId(
+      user.id,
+    );
+    return { accessToken, refreshToken, session, requiresPasswordReset };
   }
 
   async resendMfaCode(locale: string, mfaToken: string) {
@@ -846,6 +891,9 @@ export class AuthService {
     );
 
     await this.user.registerUserActivity(userId, 'login');
-    return { accessToken, refreshToken, session };
+    const requiresPasswordReset = await this.getRequiresPasswordResetByUserId(
+      userId,
+    );
+    return { accessToken, refreshToken, session, requiresPasswordReset };
   }
 }

package/src/profile/profile.service.ts

@@ -355,7 +355,7 @@ export class ProfileService {
     const passwordHash = await this.security.hashArgon2(newPassword);
     await this.prisma.user_credential.update({
       where: { id: credential.id },
-      data: { hash: passwordHash },
+      data: { hash: passwordHash, requires_reset: false },
     });
 
     // Get user data and email for notification

package/src/role/guards/role.guard.ts

@@ -2,13 +2,13 @@ import { IS_PUBLIC_KEY, WITH_ROLE } from '@hed-hog/api';
 import { getLocaleText } from '@hed-hog/api-locale';
 import { PrismaService } from '@hed-hog/api-prisma';
 import {
-  CanActivate,
-  ExecutionContext,
-  forwardRef,
-  Inject,
-  Injectable,
-  RequestMethod,
-  UnauthorizedException,
+    CanActivate,
+    ExecutionContext,
+    forwardRef,
+    Inject,
+    Injectable,
+    RequestMethod,
+    UnauthorizedException,
 } from '@nestjs/common';
 import { METHOD_METADATA } from '@nestjs/common/constants';
 import { Reflector } from '@nestjs/core';
@@ -16,6 +16,11 @@ import { Request } from 'express';
 
 @Injectable()
 export class RoleGuard implements CanActivate {
+  private readonly forcePasswordResetAllowedRoutes = new Set([
+    'PUT /profile/change-password',
+    'GET /auth/verify',
+  ]);
+
   constructor(
     private reflector: Reflector,
     @Inject(forwardRef(() => PrismaService))
@@ -128,6 +133,30 @@ export class RoleGuard implements CanActivate {
       throw new UnauthorizedException(message);
     }
 
+    const hasPendingPasswordReset = await this.prisma.user_credential.findFirst({
+      where: {
+        user_id: userId,
+        type: 'password',
+        requires_reset: true,
+        revoked_at: null,
+      },
+      select: { id: true },
+    });
+
+    if (
+      hasPendingPasswordReset &&
+      !this.forcePasswordResetAllowedRoutes.has(`${httpMethod} ${fullPath}`)
+    ) {
+      const locale = request['locale'] || 'en';
+      throw new UnauthorizedException(
+        getLocaleText(
+          'profile.changePassword.required',
+          locale,
+          'Password update required before accessing this resource.',
+        ),
+      );
+    }
+
     return true;
   }
 

package/src/session/session.service.ts

@@ -2,7 +2,7 @@ import { getLocaleText } from '@hed-hog/api-locale';
 import { PaginationDTO, PaginationService } from '@hed-hog/api-pagination';
 import { PrismaService } from '@hed-hog/api-prisma';
 import { HttpService } from '@nestjs/axios';
-import { BadRequestException, forwardRef, HttpException, HttpStatus, Inject, Injectable, NotFoundException } from '@nestjs/common';
+import { BadRequestException, forwardRef, HttpException, HttpStatus, Inject, Injectable, NotFoundException, UnauthorizedException } from '@nestjs/common';
 import { firstValueFrom } from 'rxjs';
 import { SecurityService } from '../security/security.service';
 import { SettingService } from '../setting/setting.service';
@@ -88,7 +88,7 @@ export class SessionService {
     });
 
     if (!session) {
-      throw new BadRequestException(getLocaleText('accessDenied', locale, 'Access denied.'));
+      throw new UnauthorizedException(getLocaleText('accessDenied', locale, 'Access denied.'));
     }
 
     await this.prisma.user_session.update({

package/src/user/dto/reset-password.dto.ts

@@ -0,0 +1,11 @@
+import { getLocaleText } from '@hed-hog/api-locale';
+import { IsOptional } from 'class-validator';
+import { IsStrongPasswordWithSettings } from '../../validators/is-strong-password-with-settings.validator';
+
+export class ResetPasswordDTO {
+  @IsOptional()
+  @IsStrongPasswordWithSettings({
+    message: (args) => getLocaleText('validation.passwordStrength', args.value),
+  })
+  password?: string;
+}

package/src/user/user.controller.ts

@@ -2,24 +2,25 @@ import { Public, Role } from '@hed-hog/api';
 import { Locale } from '@hed-hog/api-locale';
 import { Pagination } from '@hed-hog/api-pagination';
 import {
-  BadRequestException,
-  Body,
-  Controller,
-  Delete,
-  Get,
-  Inject,
-  Param,
-  ParseIntPipe,
-  Patch,
-  Post,
-  Res,
-  UploadedFile,
-  UseInterceptors,
-  forwardRef,
+    BadRequestException,
+    Body,
+    Controller,
+    Delete,
+    Get,
+    Inject,
+    Param,
+    ParseIntPipe,
+    Patch,
+    Post,
+    Res,
+    UploadedFile,
+    UseInterceptors,
+    forwardRef,
 } from '@nestjs/common';
 import { FileInterceptor } from '@nestjs/platform-express';
 import { DeleteDTO } from '../dto/delete.dto';
 import { CreateWithEmailAndPasswordDTO } from './dto/create-with-email-and-password.dto';
+import { ResetPasswordDTO } from './dto/reset-password.dto';
 import { UpdateDTO } from './dto/update.dto';
 import { UserService } from './user.service';
 
@@ -65,6 +66,15 @@ export class UserController {
     return this.userService.update(locale, userId, data);
   }
 
+  @Patch(':userId/reset-password')
+  async resetPassword(
+    @Param('userId', ParseIntPipe) userId: number,
+    @Body() data: ResetPasswordDTO,
+    @Locale() locale: string,
+  ) {
+    return this.userService.resetPassword(locale, userId, data);
+  }
+
   @UseInterceptors(
     FileInterceptor('avatar', {
       fileFilter: (req, file, cb) => {

package/src/user/user.service.ts

@@ -13,6 +13,7 @@ import { DeleteDTO } from '../dto/delete.dto';
 import { FileService } from '../file/file.service';
 import { SecurityService } from '../security/security.service';
 import { CreateWithEmailAndPasswordDTO } from './dto/create-with-email-and-password.dto';
+import { ResetPasswordDTO } from './dto/reset-password.dto';
 import { UpdateDTO } from './dto/update.dto';
 
 // Constants
@@ -28,6 +29,14 @@ const DEFAULT_ROLE_SLUG = 'user';
 const DEFAULT_LOCALE = 'en';
 const DAYS_IN_MS = 24 * 60 * 60 * 1000;
 const NEW_USERS_PERIOD_DAYS = 7;
+const RANDOM_PASSWORD_LENGTH = 16;
+
+const PASSWORD_CHARSETS = {
+  lowercase: 'abcdefghijkmnopqrstuvwxyz',
+  uppercase: 'ABCDEFGHJKLMNPQRSTUVWXYZ',
+  numbers: '23456789',
+  symbols: '@#$%&*!?-_+',
+} as const;
 
 const USER_SORT_FIELDS = [
   'id',
@@ -197,6 +206,46 @@ export class UserService {
     });
   }
 
+  async resetPassword(
+    locale: string,
+    userId: number,
+    { password }: ResetPasswordDTO,
+  ) {
+    await this.validateUserExists(locale, userId);
+
+    const nextPassword = password || this.generateRandomPassword();
+    const passwordHash = await this.security.hashArgon2(nextPassword);
+
+    const updateResult = await this.prismaService.user_credential.updateMany({
+      where: {
+        user_id: userId,
+        type: CREDENTIAL_TYPE.PASSWORD,
+      },
+      data: {
+        hash: passwordHash,
+        requires_reset: true,
+      },
+    });
+
+    if (updateResult.count === 0) {
+      await this.prismaService.user_credential.create({
+        data: {
+          user_id: userId,
+          type: CREDENTIAL_TYPE.PASSWORD,
+          hash: passwordHash,
+          requires_reset: true,
+        },
+      });
+    }
+
+    await this.registerUserActivity(userId, 'resetPassword');
+
+    return {
+      password: nextPassword,
+      requiresReset: true,
+    };
+  }
+
   async delete(locale: string, { ids }: DeleteDTO) {
     this.validateDeleteIds(locale, ids);
 
@@ -424,6 +473,41 @@ export class UserService {
     return role;
   }
 
+  private generateRandomPassword(length = RANDOM_PASSWORD_LENGTH) {
+    const cryptoObj = globalThis.crypto;
+    const groups = [
+      PASSWORD_CHARSETS.lowercase,
+      PASSWORD_CHARSETS.uppercase,
+      PASSWORD_CHARSETS.numbers,
+      PASSWORD_CHARSETS.symbols,
+    ];
+
+    const allChars = groups.join('');
+    const values = new Uint32Array(length + groups.length);
+    cryptoObj.getRandomValues(values);
+
+    const passwordChars: string[] = [];
+
+    groups.forEach((group, index) => {
+      const randomIndex = values[index] % group.length;
+      passwordChars.push(group[randomIndex]);
+    });
+
+    for (let i = groups.length; i < values.length; i++) {
+      const randomIndex = values[i] % allChars.length;
+      passwordChars.push(allChars[randomIndex]);
+    }
+
+    for (let i = passwordChars.length - 1; i > 0; i--) {
+      const randomIndex = values[i] % (i + 1);
+      const temp = passwordChars[i];
+      passwordChars[i] = passwordChars[randomIndex];
+      passwordChars[randomIndex] = temp;
+    }
+
+    return passwordChars.slice(0, length).join('');
+  }
+
   private getUserIncludeClause() {
     return {
       user_account: true,