@hed-hog/core 0.0.276 → 0.0.279

package/hedhog/frontend/messages/en.json

@@ -208,7 +208,24 @@
     "roleRemoved": "Role removed successfully",
     "errorLoadingRoles": "Error loading roles",
     "errorAssigningRole": "Error assigning role",
-    "errorRemovingRole": "Error removing role"
+    "errorRemovingRole": "Error removing role",
+    "passwordResetTitle": "Password Reset",
+    "passwordResetDescription": "Generate a new password for this user.",
+    "passwordResetNotice": "After this reset, the user must change the password on the next login.",
+    "buttonResetPassword": "Reset Password",
+    "passwordResetDialogTitle": "Reset User Password",
+    "passwordResetDialogDescription": "A strong password is generated by default. You can edit it before confirming.",
+    "passwordResetFieldLabel": "New temporary password",
+    "buttonRegeneratePassword": "Regenerate password",
+    "passwordResetConfirm": "Confirm reset",
+    "passwordResetSubmitting": "Resetting...",
+    "passwordResetSuccess": "Password reset successfully.",
+    "passwordResultTitle": "Password Generated",
+    "passwordResultDescription": "Copy and share this password now. It will only be shown once.",
+    "buttonCopyPassword": "Copy password",
+    "passwordCopied": "Password copied to clipboard.",
+    "passwordCopyError": "Unable to copy password.",
+    "close": "Close"
   },
   "RolePage": {
     "title": "Roles Management",
@@ -401,6 +418,7 @@
     "passwordRequired": "Password is required",
     "passwordMinLength": "Password must be at least 6 characters long",
     "mfaVerificationMessage": "Enter the verification code",
+    "passwordResetRequiredMessage": "You must change your password before continuing.",
     "hidePassword": "Hide password",
     "showPassword": "Show password",
     "loginWith": "Sign in with"
@@ -1026,10 +1044,12 @@
     "extraLarge": "Extra Large",
     "clearSize": "Clear Size",
     "heading": "Heading",
+    "alignment": "Alignment",
     "alignLeft": "Align Left",
     "alignCenter": "Center",
     "alignRight": "Align Right",
     "justify": "Justify",
+    "lists": "Lists",
     "bulletList": "Bullet List",
     "numberedList": "Numbered List",
     "addLink": "Add Link",
@@ -1043,6 +1063,7 @@
     "clearFormatting": "Clear Formatting",
     "undo": "Undo",
     "redo": "Redo",
+    "more": "More",
     "advancedMode": "Advanced Mode (HTML)",
     "advancedModeTitle": "Advanced Mode - HTML Editor",
     "advancedModeDescription": "Edit HTML directly with syntax highlighting and automatic indentation",
@@ -1142,8 +1163,11 @@
   },
   "ForbiddenDialog": {
     "title": "Access Denied",
-    "defaultMessage": "You do not have permission to access this resource.",
-    "understood": "Understood"
+    "defaultMessage": "You do not have access to request this resource.",
+    "understood": "Understood",
+    "statusCode": "Status",
+    "method": "Method",
+    "url": "URL"
   },
   "ForbiddenPage": {
     "message": "Forbidden: You don't have permission to access this page.",
@@ -1156,6 +1180,8 @@
     "sessionsToday": "Sessions Today",
     "emailsSent": "E-mails Sent",
     "permissions": "Permissions",
+    "menus": "Menus",
+    "routes": "Routes",
     "userGrowthTitle": "User Growth",
     "userGrowthDescription": "Monthly evolution of users and sessions",
     "users": "Users",

package/hedhog/frontend/messages/pt.json

@@ -208,7 +208,24 @@
     "roleRemoved": "Cargo removido com sucesso",
     "errorLoadingRoles": "Erro ao carregar cargos",
     "errorAssigningRole": "Erro ao atribuir cargo",
-    "errorRemovingRole": "Erro ao remover cargo"
+    "errorRemovingRole": "Erro ao remover cargo",
+    "passwordResetTitle": "Redefinição de senha",
+    "passwordResetDescription": "Gere uma nova senha para este usuário.",
+    "passwordResetNotice": "Após essa redefinição, o usuário será obrigado a alterar a senha no próximo login.",
+    "buttonResetPassword": "Redefinir senha",
+    "passwordResetDialogTitle": "Redefinir senha do usuário",
+    "passwordResetDialogDescription": "Uma senha forte é gerada por padrão. Você pode editar antes de confirmar.",
+    "passwordResetFieldLabel": "Nova senha temporária",
+    "buttonRegeneratePassword": "Gerar outra senha",
+    "passwordResetConfirm": "Confirmar redefinição",
+    "passwordResetSubmitting": "Redefinindo...",
+    "passwordResetSuccess": "Senha redefinida com sucesso.",
+    "passwordResultTitle": "Senha gerada",
+    "passwordResultDescription": "Copie e compartilhe essa senha agora. Ela será exibida apenas uma vez.",
+    "buttonCopyPassword": "Copiar senha",
+    "passwordCopied": "Senha copiada para a área de transferência.",
+    "passwordCopyError": "Não foi possível copiar a senha.",
+    "close": "Fechar"
   },
   "RolePage": {
     "title": "Gerenciamento de Cargos",
@@ -401,6 +418,7 @@
     "passwordRequired": "Senha obrigatória",
     "passwordMinLength": "Senha mínima de 6 caracteres",
     "mfaVerificationMessage": "Digite o código de verificação",
+    "passwordResetRequiredMessage": "Você deve alterar sua senha antes de continuar.",
     "hidePassword": "Ocultar senha",
     "showPassword": "Mostrar senha",
     "loginWith": "Entrar com"
@@ -1031,10 +1049,12 @@
     "extraLarge": "Extra Grande",
     "clearSize": "Limpar Tamanho",
     "heading": "Título",
+    "alignment": "Alinhamento",
     "alignLeft": "Alinhar à Esquerda",
     "alignCenter": "Centralizar",
     "alignRight": "Alinhar à Direita",
     "justify": "Justificar",
+    "lists": "Listas",
     "bulletList": "Lista com Marcadores",
     "numberedList": "Lista Numerada",
     "addLink": "Adicionar Link",
@@ -1048,6 +1068,7 @@
     "clearFormatting": "Limpar Formatação",
     "undo": "Desfazer",
     "redo": "Refazer",
+    "more": "Mais",
     "advancedMode": "Modo Avançado (HTML)",
     "advancedModeTitle": "Modo Avançado - Editor HTML",
     "advancedModeDescription": "Edite o HTML diretamente com syntax highlighting e indentação automática",
@@ -1197,8 +1218,11 @@
   },
   "ForbiddenDialog": {
     "title": "Acesso Negado",
-    "defaultMessage": "Você não tem permissão para acessar este recurso.",
-    "understood": "Entendi"
+    "defaultMessage": "Você não tem acesso para solicitar este recurso.",
+    "understood": "Entendi",
+    "statusCode": "Status",
+    "method": "Método",
+    "url": "URL"
   },
   "ForbiddenPage": {
     "message": "Proibido: Você não tem permissão para acessar esta página.",
@@ -1211,6 +1235,8 @@
     "sessionsToday": "Sessões Hoje",
     "emailsSent": "E-mails Enviados",
     "permissions": "Permissões",
+    "menus": "Menus",
+    "routes": "Rotas",
     "userGrowthTitle": "Crescimento de Usuários",
     "userGrowthDescription": "Evolução mensal de usuários e sessões",
     "users": "Usuários",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hed-hog/core",
-  "version": "0.0.276",
+  "version": "0.0.279",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "dependencies": {
@@ -31,11 +31,11 @@
     "speakeasy": "^2.0.0",
     "uuid": "^11.1.0",
     "@hed-hog/api-pagination": "0.0.6",
-    "@hed-hog/api-prisma": "0.0.5",
     "@hed-hog/api-types": "0.0.1",
+    "@hed-hog/api-locale": "0.0.13",
     "@hed-hog/api-mail": "0.0.8",
-    "@hed-hog/api": "0.0.4",
-    "@hed-hog/api-locale": "0.0.13"
+    "@hed-hog/api-prisma": "0.0.5",
+    "@hed-hog/api": "0.0.4"
   },
   "exports": {
     ".": {

package/src/auth/auth.controller.ts

@@ -1,18 +1,19 @@
 import { Public, Role, User, UserOptional } from '@hed-hog/api';
 import { Locale } from '@hed-hog/api-locale';
-import {
-  BadRequestException,
-  Body,
-  Controller,
-  forwardRef,
-  Get,
-  Headers,
-  Inject,
-  Ip,
-  Post,
-  Req,
-  Res
-} from '@nestjs/common';
+import {
+    BadRequestException,
+    Body,
+    Controller,
+    forwardRef,
+    Get,
+    Headers,
+    Inject,
+    Ip,
+    Post,
+    Req,
+    Res,
+    UnauthorizedException,
+} from '@nestjs/common';
 import { TokenService } from '../token/token.service';
 import { CreateWithEmailAndPasswordDTO } from '../user/dto/create-with-email-and-password.dto';
 import { UserService } from '../user/user.service';
@@ -123,7 +124,7 @@ export class AuthController {
     @Headers('user-agent') userAgent: string,
     @Res({ passthrough: true }) res,
   ) {
-    const { accessToken, refreshToken, session } = await this.service.verifyMfaCode(
+    const { accessToken, refreshToken, session, requiresPasswordReset } = await this.service.verifyMfaCode(
       locale,
       token,
       code,
@@ -133,7 +134,7 @@ export class AuthController {
     );
 
     await this.token.setRefreshTokenCookie(locale, res, refreshToken, session.expires_at);
-    return { accessToken, refreshToken };
+    return { accessToken, refreshToken, requiresPasswordReset };
   }
 
   @Public()
@@ -145,7 +146,7 @@ export class AuthController {
     @Headers('user-agent') userAgent: string,
     @Res({ passthrough: true }) res,
   ) {
-    const { accessToken, refreshToken, session } = await this.service.verifyMfaRecoveryCode(
+    const { accessToken, refreshToken, session, requiresPasswordReset } = await this.service.verifyMfaRecoveryCode(
       locale,
       token,
       code,
@@ -154,7 +155,7 @@ export class AuthController {
     );
 
     await this.token.setRefreshTokenCookie(locale, res, refreshToken, session.expires_at);
-    return { accessToken, refreshToken };
+    return { accessToken, refreshToken, requiresPasswordReset };
   }
 
   @Public()
@@ -184,7 +185,7 @@ export class AuthController {
     @Headers('user-agent') userAgent: string,
     @Res({ passthrough: true }) res,
   ) {
-    const { accessToken, refreshToken, session } = await this.service.verifyWebAuthnAuthentication(
+    const { accessToken, refreshToken, session, requiresPasswordReset } = await this.service.verifyWebAuthnAuthentication(
       locale,
       mfaToken,
       assertionResponse,
@@ -193,7 +194,7 @@ export class AuthController {
     );
 
     await this.token.setRefreshTokenCookie(locale, res, refreshToken, session.expires_at);
-    return { accessToken, refreshToken };
+    return { accessToken, refreshToken, requiresPasswordReset };
   }
 
   @Public()
@@ -215,7 +216,7 @@ export class AuthController {
   ) {
     const refreshToken = req.cookies['rt'] || refreshTokenFromBody;
     if (!refreshToken) {
-      throw new BadRequestException('Refresh token not provided');
+      throw new UnauthorizedException('Refresh token not provided');
     }
 
     await this.service.logout(res, req, refreshToken);

package/src/auth/auth.service.ts

@@ -1,13 +1,14 @@
 import { getLocaleText } from '@hed-hog/api-locale';
 import { PrismaService } from '@hed-hog/api-prisma';
 import { User } from '@hed-hog/api-types';
-import {
-  BadRequestException,
-  forwardRef,
-  Inject,
-  Injectable,
-  NotFoundException,
-} from '@nestjs/common';
+import {
+    BadRequestException,
+    forwardRef,
+    Inject,
+    Injectable,
+    NotFoundException,
+    UnauthorizedException,
+} from '@nestjs/common';
 import { ChallengeService } from '../challenge/challenge.service';
 import { MailService as MailManagerService } from '../mail/mail.service';
 import { SecurityService } from '../security/security.service';
@@ -54,6 +55,31 @@ export class AuthService {
 
   }
 
+  private hasPendingPasswordReset(user: User | any) {
+    return Boolean(
+      user?.user_credential?.some(
+        (credential) =>
+          credential.type === 'password' &&
+          credential.requires_reset === true &&
+          !credential.revoked_at,
+      ),
+    );
+  }
+
+  private async getRequiresPasswordResetByUserId(userId: number) {
+    const credential = await this.prisma.user_credential.findFirst({
+      where: {
+        user_id: userId,
+        type: 'password',
+        requires_reset: true,
+        revoked_at: null,
+      },
+      select: { id: true },
+    });
+
+    return Boolean(credential?.id);
+  }
+
   async requiresMfaForLogin(locale: string, email: string, user: any) {
 
     console.log('MFA required, setting up email MFA');
@@ -340,11 +366,13 @@ export class AuthService {
 
     await this.token.setRefreshTokenCookie(locale, res, refreshToken, session.expires_at);
 
+    const requiresPasswordReset = this.hasPendingPasswordReset(user);
+
     if (refreshToken) {
-      return { accessToken, refreshToken };
+      return { accessToken, refreshToken, requiresPasswordReset };
     }
 
-    return { accessToken };
+    return { accessToken, requiresPasswordReset };
   }
 
   async loginWithEmailAndPassword(
@@ -358,10 +386,17 @@ export class AuthService {
     const user = await this.user.findUserByEmail(locale, email);
 
     if (!user) throw new BadRequestException(getLocaleText('accessDenied', locale, 'Access denied.'));
+
+    console.debug({ user });
+
     const credentials = (user as unknown as User).user_credential?.filter((c) => c.type === 'password') || [];
+
+    console.debug({ credentials });
+
     const identifier = user.user_identifier?.find((i) => i.type === 'email' && i.value === email);
 
     if (!(await this.security.validatePassword(locale, credentials, password))) {
+      console.debug('Invalid password');
       throw new BadRequestException(getLocaleText('accessDenied', locale, 'Access denied.'));
     }
 
@@ -435,14 +470,18 @@ export class AuthService {
 
   async verifyUser(locale: string, userId: number) {
     const user = await this.user.findUserById(locale, userId);
+    const requiresPasswordReset = this.hasPendingPasswordReset(user);
     delete user.user_credential;
-    return user;
+    return {
+      ...user,
+      requires_password_reset: requiresPasswordReset,
+    };
   }
 
   async refreshAccessToken(locale: string, refreshToken: string, ipAddress: string, userAgent: string) {
 
     if (!refreshToken) {
-      throw new BadRequestException(getLocaleText('accessDenied', locale, 'Access denied.'));
+      throw new UnauthorizedException(getLocaleText('accessDenied', locale, 'Access denied.'));
     }
 
     const { session, token } = await this.session.refresh(
@@ -492,7 +531,7 @@ export class AuthService {
           }
         }
       },
-      data: { hash: passwordHash },
+      data: { hash: passwordHash, requires_reset: false },
     });
 
     const userIdentifier = await this.prisma.user_identifier.findFirst({
@@ -646,7 +685,10 @@ export class AuthService {
     );
 
     await this.user.registerUserActivity(user.id, "login");
-    return { accessToken, refreshToken, session };
+    const requiresPasswordReset = await this.getRequiresPasswordResetByUserId(
+      user.id,
+    );
+    return { accessToken, refreshToken, session, requiresPasswordReset };
   }
 
   async verifyMfaRecoveryCode(locale: string, mfaToken: string, recoveryCode: string, ipAddress: string, userAgent: string) {
@@ -685,7 +727,10 @@ export class AuthService {
     );
 
     await this.user.registerUserActivity(user.id, "login");
-    return { accessToken, refreshToken, session };
+    const requiresPasswordReset = await this.getRequiresPasswordResetByUserId(
+      user.id,
+    );
+    return { accessToken, refreshToken, session, requiresPasswordReset };
   }
 
   async resendMfaCode(locale: string, mfaToken: string) {
@@ -846,6 +891,9 @@ export class AuthService {
     );
 
     await this.user.registerUserActivity(userId, 'login');
-    return { accessToken, refreshToken, session };
+    const requiresPasswordReset = await this.getRequiresPasswordResetByUserId(
+      userId,
+    );
+    return { accessToken, refreshToken, session, requiresPasswordReset };
   }
 }

package/src/dashboard/dashboard-core/dashboard-core.controller.ts

@@ -23,6 +23,11 @@ export class DashboardCoreController {
     return this.dashboardCoreService.getMailStatistics();
   }
 
+  @Get('stats/overview/system')
+  getSystemStatistics() {
+    return this.dashboardCoreService.getSystemStatistics();
+  }
+
   @Get('widgets/me')
   getWidgetsData(@User() user, @Locale() locale: string) {
     return this.dashboardCoreService.getWidgetsData(user.id, locale);

package/src/dashboard/dashboard-core/dashboard-core.service.ts

@@ -297,6 +297,40 @@ export class DashboardCoreService {
     };
   }
 
+  async getSystemStatistics() {
+    const now = new Date();
+    const currentMonthStart = new Date(now.getFullYear(), now.getMonth(), 1);
+    const lastMonthStart = new Date(now.getFullYear(), now.getMonth() - 1, 1);
+    const lastMonthEnd = new Date(now.getFullYear(), now.getMonth(), 0, 23, 59, 59);
+
+    const [
+      menusCount,
+      routesCount,
+      menusCurrentMonth,
+      menusLastMonth,
+    ] = await Promise.all([
+      this.prismaService.menu.count(),
+      this.prismaService.route.count(),
+      this.prismaService.menu.count({ where: { created_at: { gte: currentMonthStart } } }),
+      this.prismaService.menu.count({ where: { created_at: { gte: lastMonthStart, lte: lastMonthEnd } } }),
+    ]);
+
+    const menusChange = this.calculateChange(menusCurrentMonth, menusLastMonth);
+
+    return {
+      cards: {
+        menus: {
+          value: menusCount,
+          change: menusChange,
+        },
+        routes: {
+          value: routesCount,
+          change: null,
+        },
+      },
+    };
+  }
+
   async getUserLayout(userId: number, slug: string, localeCode: string) {
     const dashboard = await this.prismaService.dashboard.findFirst({ where: { slug } });
 

package/src/profile/profile.service.ts

@@ -355,7 +355,7 @@ export class ProfileService {
     const passwordHash = await this.security.hashArgon2(newPassword);
     await this.prisma.user_credential.update({
       where: { id: credential.id },
-      data: { hash: passwordHash },
+      data: { hash: passwordHash, requires_reset: false },
     });
 
     // Get user data and email for notification

package/src/role/guards/role.guard.ts

@@ -2,13 +2,13 @@ import { IS_PUBLIC_KEY, WITH_ROLE } from '@hed-hog/api';
 import { getLocaleText } from '@hed-hog/api-locale';
 import { PrismaService } from '@hed-hog/api-prisma';
 import {
-  CanActivate,
-  ExecutionContext,
-  forwardRef,
-  Inject,
-  Injectable,
-  RequestMethod,
-  UnauthorizedException,
+    CanActivate,
+    ExecutionContext,
+    forwardRef,
+    Inject,
+    Injectable,
+    RequestMethod,
+    UnauthorizedException,
 } from '@nestjs/common';
 import { METHOD_METADATA } from '@nestjs/common/constants';
 import { Reflector } from '@nestjs/core';
@@ -16,6 +16,11 @@ import { Request } from 'express';
 
 @Injectable()
 export class RoleGuard implements CanActivate {
+  private readonly forcePasswordResetAllowedRoutes = new Set([
+    'PUT /profile/change-password',
+    'GET /auth/verify',
+  ]);
+
   constructor(
     private reflector: Reflector,
     @Inject(forwardRef(() => PrismaService))
@@ -128,6 +133,30 @@ export class RoleGuard implements CanActivate {
       throw new UnauthorizedException(message);
     }
 
+    const hasPendingPasswordReset = await this.prisma.user_credential.findFirst({
+      where: {
+        user_id: userId,
+        type: 'password',
+        requires_reset: true,
+        revoked_at: null,
+      },
+      select: { id: true },
+    });
+
+    if (
+      hasPendingPasswordReset &&
+      !this.forcePasswordResetAllowedRoutes.has(`${httpMethod} ${fullPath}`)
+    ) {
+      const locale = request['locale'] || 'en';
+      throw new UnauthorizedException(
+        getLocaleText(
+          'profile.changePassword.required',
+          locale,
+          'Password update required before accessing this resource.',
+        ),
+      );
+    }
+
     return true;
   }
 

package/src/session/session.service.ts

@@ -2,7 +2,7 @@ import { getLocaleText } from '@hed-hog/api-locale';
 import { PaginationDTO, PaginationService } from '@hed-hog/api-pagination';
 import { PrismaService } from '@hed-hog/api-prisma';
 import { HttpService } from '@nestjs/axios';
-import { BadRequestException, forwardRef, HttpException, HttpStatus, Inject, Injectable, NotFoundException } from '@nestjs/common';
+import { BadRequestException, forwardRef, HttpException, HttpStatus, Inject, Injectable, NotFoundException, UnauthorizedException } from '@nestjs/common';
 import { firstValueFrom } from 'rxjs';
 import { SecurityService } from '../security/security.service';
 import { SettingService } from '../setting/setting.service';
@@ -88,7 +88,7 @@ export class SessionService {
     });
 
     if (!session) {
-      throw new BadRequestException(getLocaleText('accessDenied', locale, 'Access denied.'));
+      throw new UnauthorizedException(getLocaleText('accessDenied', locale, 'Access denied.'));
     }
 
     await this.prisma.user_session.update({

package/src/user/dto/reset-password.dto.ts

@@ -0,0 +1,11 @@
+import { getLocaleText } from '@hed-hog/api-locale';
+import { IsOptional } from 'class-validator';
+import { IsStrongPasswordWithSettings } from '../../validators/is-strong-password-with-settings.validator';
+
+export class ResetPasswordDTO {
+  @IsOptional()
+  @IsStrongPasswordWithSettings({
+    message: (args) => getLocaleText('validation.passwordStrength', args.value),
+  })
+  password?: string;
+}

package/src/user/user.controller.ts

@@ -2,24 +2,25 @@ import { Public, Role } from '@hed-hog/api';
 import { Locale } from '@hed-hog/api-locale';
 import { Pagination } from '@hed-hog/api-pagination';
 import {
-  BadRequestException,
-  Body,
-  Controller,
-  Delete,
-  Get,
-  Inject,
-  Param,
-  ParseIntPipe,
-  Patch,
-  Post,
-  Res,
-  UploadedFile,
-  UseInterceptors,
-  forwardRef,
+    BadRequestException,
+    Body,
+    Controller,
+    Delete,
+    Get,
+    Inject,
+    Param,
+    ParseIntPipe,
+    Patch,
+    Post,
+    Res,
+    UploadedFile,
+    UseInterceptors,
+    forwardRef,
 } from '@nestjs/common';
 import { FileInterceptor } from '@nestjs/platform-express';
 import { DeleteDTO } from '../dto/delete.dto';
 import { CreateWithEmailAndPasswordDTO } from './dto/create-with-email-and-password.dto';
+import { ResetPasswordDTO } from './dto/reset-password.dto';
 import { UpdateDTO } from './dto/update.dto';
 import { UserService } from './user.service';
 
@@ -65,6 +66,15 @@ export class UserController {
     return this.userService.update(locale, userId, data);
   }
 
+  @Patch(':userId/reset-password')
+  async resetPassword(
+    @Param('userId', ParseIntPipe) userId: number,
+    @Body() data: ResetPasswordDTO,
+    @Locale() locale: string,
+  ) {
+    return this.userService.resetPassword(locale, userId, data);
+  }
+
   @UseInterceptors(
     FileInterceptor('avatar', {
       fileFilter: (req, file, cb) => {