@strapi/plugin-users-permissions 4.3.1 → 4.3.3

package/documentation/content-api.yaml

@@ -185,6 +185,41 @@ paths:
               schema:
                 $ref: '#/components/schemas/Error'
 
+  /auth/change-password:
+    post:
+      tags:
+        - Users-Permissions - Auth
+      summary: Update user's own password
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                password:
+                  required: true
+                  type: string
+                currentPassword:
+                  required: true
+                  type: string
+                passwordConfirmation:
+                  required: true
+                  type: string
+      responses:
+        200:
+          description: Returns a jwt token and user info
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Users-Permissions-UserRegistration'
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
+
   /auth/email-confirmation:
     get:
       tags:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "4.3.1",
+  "version": "4.3.3",
   "description": "Protect your API with a full-authentication process based on JWT",
   "repository": {
     "type": "git",
@@ -27,8 +27,8 @@
     "test:front:watch:ce": "cross-env IS_EE=false jest --config ./jest.config.front.js --watchAll"
   },
   "dependencies": {
-    "@strapi/helper-plugin": "4.3.1",
-    "@strapi/utils": "4.3.1",
+    "@strapi/helper-plugin": "4.3.3",
+    "@strapi/utils": "4.3.3",
     "bcryptjs": "2.4.3",
     "grant-koa": "5.4.8",
     "jsonwebtoken": "^8.1.0",
@@ -59,5 +59,5 @@
     "required": true,
     "kind": "plugin"
   },
-  "gitHead": "1eab2fb08c7a4d3d40a5a7ff3b2f137ce0afcf8a"
+  "gitHead": "4d60bfdeee6eb5e9b42b5a614690d7bb86c5f84a"
 }

package/server/controllers/auth.js

@@ -18,6 +18,7 @@ const {
   validateForgotPasswordBody,
   validateResetPasswordBody,
   validateEmailConfirmationBody,
+  validateChangePasswordBody,
 } = require('./validation/auth');
 
 const { getAbsoluteAdminUrl, getAbsoluteServerUrl, sanitize } = utils;
@@ -90,18 +91,36 @@ module.exports = {
         user: await sanitizeUser(user, ctx),
       });
     }
+  },
 
-    // Connect the user with the third-party provider.
-    try {
-      const user = await getService('providers').connect(provider, ctx.query);
+  async changePassword(ctx) {
+    if (!ctx.state.user) {
+      throw new ApplicationError('You must be authenticated to reset your password');
+    }
 
-      return ctx.send({
-        jwt: getService('jwt').issue({ id: user.id }),
-        user: await sanitizeUser(user, ctx),
-      });
-    } catch (error) {
-      throw new ApplicationError(error.message);
+    const { currentPassword, password } = await validateChangePasswordBody(ctx.request.body);
+
+    const user = await strapi.entityService.findOne(
+      'plugin::users-permissions.user',
+      ctx.state.user.id
+    );
+
+    const validPassword = await getService('user').validatePassword(currentPassword, user.password);
+
+    if (!validPassword) {
+      throw new ValidationError('The provided current password is invalid');
+    }
+
+    if (currentPassword === password) {
+      throw new ValidationError('Your new password must be different than your current password');
     }
+
+    await getService('user').edit(user.id, { password });
+
+    ctx.send({
+      jwt: getService('jwt').issue({ id: user.id }),
+      user: await sanitizeUser(user, ctx),
+    });
   },
 
   async resetPassword(ctx) {

package/server/controllers/validation/auth.js

@@ -44,6 +44,17 @@ const resetPasswordSchema = yup
   })
   .noUnknown();
 
+const changePasswordSchema = yup
+  .object({
+    password: yup.string().required(),
+    passwordConfirmation: yup
+      .string()
+      .required()
+      .oneOf([yup.ref('password')], 'Passwords do not match'),
+    currentPassword: yup.string().required(),
+  })
+  .noUnknown();
+
 module.exports = {
   validateCallbackBody: validateYupSchema(callbackSchema),
   validateRegisterBody: validateYupSchema(registerSchema),
@@ -51,4 +62,5 @@ module.exports = {
   validateEmailConfirmationBody: validateYupSchema(validateEmailConfirmationSchema),
   validateForgotPasswordBody: validateYupSchema(forgotPasswordSchema),
   validateResetPasswordBody: validateYupSchema(resetPasswordSchema),
+  validateChangePasswordBody: validateYupSchema(changePasswordSchema),
 };

package/server/graphql/mutations/auth/change-password.js

@@ -0,0 +1,41 @@
+'use strict';
+
+const { toPlainObject } = require('lodash/fp');
+
+const { checkBadRequest } = require('../../utils');
+
+module.exports = ({ nexus, strapi }) => {
+  const { nonNull } = nexus;
+
+  return {
+    type: 'UsersPermissionsLoginPayload',
+
+    args: {
+      currentPassword: nonNull('String'),
+      password: nonNull('String'),
+      passwordConfirmation: nonNull('String'),
+    },
+
+    description: 'Change user password. Confirm with the current password.',
+
+    async resolve(parent, args, context) {
+      const { koaContext } = context;
+
+      koaContext.request.body = toPlainObject(args);
+
+      await strapi
+        .plugin('users-permissions')
+        .controller('auth')
+        .changePassword(koaContext);
+
+      const output = koaContext.body;
+
+      checkBadRequest(output);
+
+      return {
+        user: output.user || output,
+        jwt: output.jwt,
+      };
+    },
+  };
+};

package/server/graphql/mutations/index.js

@@ -25,6 +25,7 @@ module.exports = context => {
     register: require('./auth/register'),
     forgotPassword: require('./auth/forgot-password'),
     resetPassword: require('./auth/reset-password'),
+    changePassword: require('./auth/change-password'),
     emailConfirmation: require('./auth/email-confirmation'),
   };
 

package/server/graphql/resolvers-configs.js

@@ -23,6 +23,11 @@ module.exports = ({ strapi }) => {
     'Mutation.forgotPassword': { auth: false },
     'Mutation.resetPassword': { auth: false },
     'Mutation.emailConfirmation': { auth: false },
+    'Mutation.changePassword': {
+      auth: {
+        scope: 'plugin::users-permissions.auth.changePassword',
+      },
+    },
 
     // Scoped auth for replaced CRUD operations
     // Role

package/server/routes/content-api/auth.js

@@ -70,4 +70,13 @@ module.exports = [
       prefix: '',
     },
   },
+  {
+    method: 'POST',
+    path: '/auth/change-password',
+    handler: 'auth.changePassword',
+    config: {
+      middlewares: ['plugin::users-permissions.rateLimit'],
+      prefix: '',
+    },
+  },
 ];

package/server/services/user.js

@@ -87,13 +87,6 @@ module.exports = ({ strapi }) => ({
   async remove(params) {
     return strapi.query('plugin::users-permissions.user').delete({ where: params });
   },
-  isHashed(password) {
-    if (typeof password !== 'string' || !password) {
-      return false;
-    }
-
-    return password.split('$').length === 4;
-  },
 
   validatePassword(password, hash) {
     return bcrypt.compare(password, hash);

package/server/services/users-permissions.js

@@ -15,6 +15,7 @@ const DEFAULT_PERMISSIONS = [
   { action: 'plugin::users-permissions.auth.emailConfirmation', roleType: 'public' },
   { action: 'plugin::users-permissions.auth.sendEmailConfirmation', roleType: 'public' },
   { action: 'plugin::users-permissions.user.me', roleType: 'authenticated' },
+  { action: 'plugin::users-permissions.auth.changePassword', roleType: 'authenticated' },
 ];
 
 const transformRoutePrefixFor = pluginName => route => {