@solidstarters/solid-core 1.2.166 → 1.2.169

package/src/services/authentication.service.ts

@@ -28,7 +28,6 @@ import { OTPSignUpDto } from '../dtos/otp-sign-up.dto';
 import { RefreshTokenDto } from '../dtos/refresh-token.dto';
 import { SignInDto } from '../dtos/sign-in.dto';
 import { SignUpDto } from '../dtos/sign-up.dto';
-import { UserPasswordHistory } from '../entities/user-password-history.entity';
 import { User } from '../entities/user.entity';
 import { ActiveUserData } from '../interfaces/active-user-data.interface';
 import { HashingService } from './hashing.service';
@@ -69,7 +68,6 @@ export class AuthenticationService {
     constructor(
         private readonly userService: UserService,
         @InjectRepository(User) private readonly userRepository: Repository<User>,
-        @InjectRepository(UserPasswordHistory) private readonly userPasswordHistoryRepository: Repository<UserPasswordHistory>,
         private readonly hashingService: HashingService,
         private readonly jwtService: JwtService,
         @Inject(jwtConfig.KEY)
@@ -196,7 +194,7 @@ export class AuthenticationService {
 
     private async populateForSignup<T extends User>(user: T, signUpDto: SignUpDto, isUserActive: boolean = true, onForcePasswordChange?: boolean) {
         // const user = new User();
-
+        let autoGeneratedPwdPermission = await this.settingService.getConfigValue('iamAutoGeneratedPassword');
         if (signUpDto.roles && signUpDto.roles.length > 0) {
             for (let i = 0; i < signUpDto.roles.length; i++) {
                 const roleName = signUpDto.roles[i];
@@ -210,22 +208,39 @@ export class AuthenticationService {
         if (signUpDto.mobile) {
             user.mobile = signUpDto.mobile;
         }
-        this.logger.debug("user", user);
+        // this.logger.debug("user", user);
+
         // If password has been specified by the user, then we simply create & activate the user based on the configuration parameter "activateUserOnRegistration".
         let pwd = '';
         let autoGeneratedPwd = '';
+
+        // User has specified password 
         if (signUpDto.password) {
             pwd = await this.hashingService.hash(signUpDto.password);
         }
+        // User has not specified password
         else {
-            // TODO: If password is not specified then auto-generate a random password, trigger this password over an email to the user.
-            // TODO: Also track if the user has to force reset / change their password, and then activate the user. 
-            autoGeneratedPwd = this.generatePassword();
-            pwd = await this.hashingService.hash(autoGeneratedPwd);
-            user.forcePasswordChange = true;
+            // When user does not specify password, and system is configured to auto generate passwords.
+            if (autoGeneratedPwdPermission?.toString().toLowerCase() === 'true') {
+                autoGeneratedPwd = this.generatePassword();
+                pwd = await this.hashingService.hash(autoGeneratedPwd);
+                user.forcePasswordChange = true;
+            }
+            // When user does not specify password, and system is not configured to auto generate passwords.
+            else {
+                // This means that most likely the system is going to be using password-less login. 
+                // If that is not the case then we can raise a bad request exception...
+                if (!this.isPasswordlessRegistrationEnabled()) {
+                    this.logger.error('User being created without password, and password less login is also not enabled in the system. Is this intentional?');
+                    throw new BadRequestException(ERROR_MESSAGES.PASSWORDLESS_REGISTRATION_DISABLED);
+                }
+
+                // Save the hash of the blank password, anyways since passwordless login is enabled it does not matter.
+                pwd = await this.hashingService.hash(pwd);
+            }
         }
+
         user.password = pwd;
-        // user.active = this.iamConfiguration.activateUserOnRegistration;
         user.active = isUserActive;
         return { user, pwd, autoGeneratedPwd };
     }
@@ -233,11 +248,6 @@ export class AuthenticationService {
 
     private async handlePostSignup(user: User, roles: string[] = [], pwd: string, autoGeneratedPwd: string) {
         await this.userService.initializeRolesForNewUser(roles, user);
-        // Tanay: Adding user password to history table
-        const userPasswordHistory = new UserPasswordHistory();
-        userPasswordHistory.passwordHash = pwd;
-        userPasswordHistory.user = user;
-        await this.userPasswordHistoryRepository.save(userPasswordHistory);
 
         // if forcePasswordChange is true, then we trigger an email to the user to change the password, this needs to be done using a queue. 
         // Create a new method like notifyUserOnForcePasswordChange, create a new email template we can call it on-force-password-change this template to include the random password
@@ -524,7 +534,7 @@ export class AuthenticationService {
                 username: user.username,
                 forcePasswordChange: user.forcePasswordChange,
                 id: user.id,
-                roles: user.roles.map((role, idx, roles) => role.name)
+                roles: user.roles.map((role) => role.name)
             },
             ...tokens
         }
@@ -721,19 +731,9 @@ export class AuthenticationService {
 
         // Everytime the user changes the password we reset the forcePasswordChange flag back to false. 
         user.forcePasswordChange = false;
-
-        if (await this.isPasswordDuplicate(user)) {
-            throw new BadRequestException(ERROR_MESSAGES.PASSWORD_REUSED);
-        }
-        await this.deleteOldPasswords(user);
-
         user.password = newPwd;
-        const userPasswordHistory = new UserPasswordHistory();
-        userPasswordHistory.passwordHash = newPwd;
-        userPasswordHistory.user = user;
 
         await this.userRepository.save(user);
-        await this.userPasswordHistoryRepository.save(userPasswordHistory);
 
         return true;
     }
@@ -761,7 +761,7 @@ export class AuthenticationService {
 
         let isValidUser = true // Instead of throwing exceptions we will simply return success message, this is to avoid user enumeration attacks.
         if (!user) {
-            isValidUser = false            
+            isValidUser = false
             // throw new NotFoundException(ERROR_MESSAGES.INVALID_CREDENTIALS);
         }
         if (isValidUser && !user?.active) {
@@ -792,7 +792,7 @@ export class AuthenticationService {
             error: '',
             errorCode: '',
             data: {
-                user:  {
+                user: {
                     email: user?.email,
                     // mobile: user.mobile,
                     // username: user.username,
@@ -873,24 +873,8 @@ export class AuthenticationService {
             // 2) Now update the password & history (still inside the same transaction)
             const pwdHash = await this.hashingService.hash(confirmForgotPasswordDto.password);
 
-            // Avoid ever assigning plaintext:
-            // user.password = dto.password <-- remove this line in your original code
-
             // Check reuse with your existing method (ensure it looks at hashes).
-            const tempUser = { ...user, password: pwdHash } as User; // if your helper expects it
-            if (await this.isPasswordDuplicate(tempUser)) {
-                throw new BadRequestException(ERROR_MESSAGES.PASSWORD_REUSED);
-            }
-
-            await this.deleteOldPasswords(user);
-
             await m.getRepository(User).update({ id: user.id }, { password: pwdHash });
-
-            const history = m.getRepository(UserPasswordHistory).create({
-                user: { id: user.id } as any,
-                passwordHash: pwdHash,
-            });
-            await m.getRepository(UserPasswordHistory).save(history);
             this.notifyUserOnPasswordChanged(user);
 
             return {
@@ -946,101 +930,6 @@ export class AuthenticationService {
         }
     }
 
-    // async confirmForgotPassword(confirmForgotPasswordDto: ConfirmForgotPasswordDto) {
-    //     // Steps / Algorithm: 
-    //     // 1. Identify the user using the specified "username", if not found exit.
-    //     // const user = await this.userRepository.findOne({
-    //     //     where: { username: confirmForgotPasswordDto.username, }
-    //     // });
-    //     const user = await this.resolveUserByVerificationToken(confirmForgotPasswordDto.verificationToken);
-
-    //     if (!user) {
-    //         throw new NotFoundException(ERROR_MESSAGES.USER_NOT_FOUND);
-    //     }
-
-    //     // 2. Validate if user has used a provider which is "local", only then it makes sense for us to initiate the forgot password routine. 
-    //     if (user.lastLoginProvider !== 'local') {
-    //         throw new BadRequestException(ERROR_MESSAGES.NON_LOCAL_PROVIDER);
-    //     }
-    //     if (!user.active) {
-    //         throw new UnauthorizedException(ERROR_MESSAGES.USER_INACTIVE);
-    //     }
-
-    //     // 3. Validate the verification token is proper & update the user record. 
-    //     if (user.verificationTokenOnForgotPassword !== confirmForgotPasswordDto.verificationToken) {
-    //         throw new UnauthorizedException(ERROR_MESSAGES.INVALID_VERIFICATION_TOKEN);
-    //     }
-    //     if (user.verificationTokenOnForgotPasswordExpiresAt < new Date()) {
-    //         throw new UnauthorizedException(ERROR_MESSAGES.INVALID_VERIFICATION_TOKEN);
-    //     }
-    //     user.forgotPasswordConfirmedAt = new Date();
-    //     user.verificationTokenOnForgotPassword = null;
-    //     user.verificationTokenOnForgotPasswordExpiresAt = null;
-
-    //     // 4. Update the users password while encrypting it.
-    //     const pwd = await this.hashingService.hash(confirmForgotPasswordDto.password);
-    //     user.password = confirmForgotPasswordDto.password
-
-    //     if (await this.isPasswordDuplicate(user)) {
-    //         throw new BadRequestException(ERROR_MESSAGES.PASSWORD_REUSED);
-    //     }
-    //     await this.deleteOldPasswords(user);
-
-    //     user.password = pwd;
-    //     const userPasswordHistory = new UserPasswordHistory();
-    //     userPasswordHistory.passwordHash = pwd;
-    //     userPasswordHistory.user = user;
-
-    //     await this.userRepository.save(user);
-    //     //FIXME: Do this check conditionally, basis a configuration parameter i.e if IAM_ALLOW_PREVIOUS_PASSWORDS=false, default true
-    //     await this.userPasswordHistoryRepository.save(userPasswordHistory);
-
-    //     return {
-    //         status: 'success',
-    //         message: SUCCESS_MESSAGES.FORGOT_PASSWORD_CONFIRMED,
-    //         error: '',
-    //         errorCode: '',
-    //         data: {}
-    //     }
-    // }
-
-    //FIXME: Do this check conditionally, basis a configuration parameter i.e if IAM_ALLOW_PREVIOUS_PASSWORDS=true, return immediately without processing, i.e false.
-    private async isPasswordDuplicate(user: User) {
-        const userPwdHistoryEntityArray = await this.userPasswordHistoryRepository.findBy(
-            { user: { id: user.id } }
-        )
-        let userPwdHistoryArray = [];
-        // O(n)
-        for (const entity of userPwdHistoryEntityArray) {
-            userPwdHistoryArray.push(entity.passwordHash);
-        }
-        // O(n)
-        for (const pwdHash of userPwdHistoryArray) {
-            const isEqual = await this.hashingService.compare(user.password, pwdHash);
-            if (isEqual) {
-                return true;
-            }
-        }
-        return false;
-    }
-
-    //FIXME: Do this check conditionally, basis a configuration parameter i.e if IAM_ALLOW_PREVIOUS_PASSWORDS=true, return immediately without processing
-    private async deleteOldPasswords(user: User) {
-        const userPwdHistoryArray = await this.userPasswordHistoryRepository.findBy(
-            { user: { id: user.id } }
-        )
-        const pwdLimit = 2; //FIXME: Should this be moved into the env? IAM_PREVIOUS_PASSWORDS_LIMIT
-
-        // TODO: Check what slice() or splice() does.
-        //FIXME - Delete passwords which are older than the latest n passwords. n is configurable
-        if (userPwdHistoryArray.length >= pwdLimit) {
-            const numToDelete = pwdLimit + 1 - userPwdHistoryArray.length;
-            for (let i = 0; i < numToDelete; i++) {
-                await this.userPasswordHistoryRepository.remove(userPwdHistoryArray[i]);
-            }
-        }
-    }
-
     async generateTokens(user: User) {
 
         const [accessToken, refreshToken] = await Promise.all([
@@ -1083,7 +972,7 @@ export class AuthenticationService {
 
     async refreshTokens(refreshTokenDto: RefreshTokenDto) {
         try {
-            const { sub, refreshTokenId } = await this.jwtService.verifyAsync<Pick<ActiveUserData, 'sub'> & { refreshTokenId: string }>(refreshTokenDto.refreshToken, {
+            const { sub } = await this.jwtService.verifyAsync<Pick<ActiveUserData, 'sub'> & { refreshTokenId: string }>(refreshTokenDto.refreshToken, {
                 secret: this.jwtConfiguration.secret,
                 audience: this.jwtConfiguration.audience,
                 issuer: this.jwtConfiguration.issuer,
@@ -1185,7 +1074,7 @@ export class AuthenticationService {
                 username: user.username,
                 // forcePasswordChange: user.forcePasswordChange,
                 id: user.id,
-                roles: user.roles.map((role, idx, roles) => role.name)
+                roles: user.roles.map((role) => role.name)
             },
             ...tokens
         }
@@ -1255,7 +1144,7 @@ export class AuthenticationService {
                 username: user.username,
                 // forcePasswordChange: user.forcePasswordChange,
                 id: user.id,
-                roles: user.roles.map((role, idx, roles) => role.name)
+                roles: user.roles.map((role) => role.name)
             },
             ...tokens
         }