@tomei/sso 0.60.1 → 0.60.2

package/migrations/20250326043818-crate-user-password-history.js

@@ -0,0 +1,41 @@
+'use strict';
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+  async up(queryInterface, Sequelize) {
+    await queryInterface.createTable('sso_UserPasswordHistory', {
+      HistoryId: {
+        type: Sequelize.INTEGER,
+        autoIncrement: true,
+        primaryKey: true,
+        allowNull: false,
+      },
+      UserId: {
+        type: Sequelize.INTEGER,
+        allowNull: false,
+        references: {
+          model: 'sso_User',
+          key: 'UserId',
+        },
+        onUpdate: 'CASCADE',
+        onDelete: 'CASCADE',
+      },
+      PasswordHash: {
+        type: Sequelize.STRING(225),
+        allowNull: false,
+      },
+      CreatedAt: {
+        type: Sequelize.DATE,
+        allowNull: false,
+      },
+      UpdatedAt: {
+        type: Sequelize.DATE,
+        allowNull: false,
+      },
+    });
+  },
+
+  async down(queryInterface, Sequelize) {
+    await queryInterface.dropTable('sso_UserPasswordHistory');
+  },
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tomei/sso",
-  "version": "0.60.1",
+  "version": "0.60.2",
   "description": "Tomei SSO Package",
   "main": "dist/index.js",
   "scripts": {

package/src/components/login-user/user.ts

@@ -36,6 +36,7 @@ import { AuthContext } from 'types';
 import UserModel from '../../models/user.entity';
 import { UserReportingHierarchyRepository } from '../user-reporting-hierarchy/user-reporting-hierarchy.repository';
 import { IUserReportingHierarchyAttr } from 'interfaces/user-reporting-hierarchy.interface';
+import { UserPasswordHistory } from '../user-password-history/user-password-history';
 
 export class User extends UserBase {
   ObjectId: string;
@@ -1462,6 +1463,19 @@ export class User extends UserBase {
       await sessionService.deleteAuthorizationCode(hashedSubmittedToken);
       console.log(`Token verified for user: ${userId}`);
 
+      // Part 2: Validate Password History
+      // Call  by passing:
+      // dbTransaction
+      // UserId: loginUser.ObjectId
+      // Password: password
+      const passwordHashService = new PasswordHashService();
+      await UserPasswordHistory.validate(
+        dbTransaction,
+        parseInt(userId),
+        password,
+        passwordHashService,
+      );
+
       //Instantiate user
       const user = await User.init(
         sessionService,
@@ -1473,7 +1487,7 @@ export class User extends UserBase {
       await User.setPassword(dbTransaction, user, password);
 
       //Update user record
-      await User._Repository.update(
+      let userData = await User._Repository.update(
         {
           Password: user._Password,
           DefaultPasswordChangedYN: YN.Yes,
@@ -1486,6 +1500,12 @@ export class User extends UserBase {
           transaction: dbTransaction,
         },
       );
+
+      await UserPasswordHistory.create(
+        dbTransaction,
+        parseInt(userId),
+        userData.Password,
+      );
     } catch (error) {
       throw error;
     }
@@ -1603,6 +1623,12 @@ export class User extends UserBase {
         userInfo,
       );
 
+      await UserPasswordHistory.create(
+        dbTransaction,
+        userToBeCreated.UserId,
+        userToBeCreated.Password,
+      );
+
       //Part 5: Record Create User Activity
       const activity = new Activity();
       activity.ActivityId = activity.createId();
@@ -2845,6 +2871,19 @@ export class User extends UserBase {
   ) {
     try {
       const passwordHashService = new PasswordHashService();
+
+      // Part 2: Validate Password History
+      // Call  by passing:
+      // dbTransaction
+      // UserId: loginUser.ObjectId
+      // Password: password
+      await UserPasswordHistory.validate(
+        dbTransaction,
+        loginUser.UserId,
+        newPassword,
+        passwordHashService,
+      );
+
       const isPasswordValid = await passwordHashService.verify(
         oldPassword,
         this.Password,
@@ -2929,6 +2968,12 @@ export class User extends UserBase {
         },
       );
 
+      await UserPasswordHistory.create(
+        dbTransaction,
+        this.UserId,
+        this.Password,
+      );
+
       // Record update activity using Activity class create method.
       const activity = new Activity();
       activity.ActivityId = activity.createId();

package/src/components/user-password-history/index.ts

@@ -0,0 +1,2 @@
+export * from './user-password-history';
+export * from './user-password-history.repository';

package/src/components/user-password-history/user-password-history.repository.ts

@@ -0,0 +1,39 @@
+import { RepositoryBase, IRepositoryBase } from '@tomei/general';
+import UserPasswordHistoryModel from '../../models/user-password-history';
+import { Op } from 'sequelize';
+
+export class UserPasswordHistoryRepository
+  extends RepositoryBase<UserPasswordHistoryModel>
+  implements IRepositoryBase<UserPasswordHistoryModel>
+{
+  constructor() {
+    super(UserPasswordHistoryModel);
+  }
+
+  async findByPk(id: string, options?: any): Promise<UserPasswordHistoryModel> {
+    return await UserPasswordHistoryModel.findByPk(parseInt(id), options);
+  }
+
+  async destroy(HistoryId: number, dbTransaction: any): Promise<void> {
+    await UserPasswordHistoryModel.destroy({
+      where: {
+        HistoryId: HistoryId,
+      },
+      transaction: dbTransaction,
+    });
+  }
+
+  async destroyMultiple(
+    HistoryIdList: number[],
+    dbTransaction: any,
+  ): Promise<void> {
+    await UserPasswordHistoryModel.destroy({
+      where: {
+        HistoryId: {
+          [Op.in]: HistoryIdList,
+        },
+      },
+      transaction: dbTransaction,
+    });
+  }
+}

package/src/components/user-password-history/user-password-history.ts

@@ -0,0 +1,185 @@
+import { ClassError, ObjectBase } from '@tomei/general';
+import { ComponentConfig } from '@tomei/config';
+import { IUserPasswordHistoryAttr } from '../../interfaces/user-password-history.interface';
+import { UserPasswordHistoryRepository } from './user-password-history.repository';
+import { PasswordHashService } from '../../components/password-hash';
+
+export class UserPasswordHistory
+  extends ObjectBase
+  implements IUserPasswordHistoryAttr
+{
+  ObjectId: string;
+  ObjectName: string;
+  ObjectType = 'UserPasswordHistory';
+  TableName = 'sso_UserPasswordHistory';
+  UserId: number;
+  PasswordHash: string;
+  private _CreatedAt: Date;
+
+  private static _Repo = new UserPasswordHistoryRepository();
+
+  get HistoryId(): number {
+    return parseInt(this.ObjectId);
+  }
+
+  set HistoryId(value: number) {
+    this.ObjectId = value.toString();
+  }
+
+  get CreatedAt(): Date {
+    return this._CreatedAt;
+  }
+
+  private constructor(params?: IUserPasswordHistoryAttr) {
+    super();
+    if (params) {
+      this.ObjectId = params.HistoryId.toString();
+      this.UserId = params.UserId;
+      this.PasswordHash = params.PasswordHash;
+      this._CreatedAt = params.CreatedAt;
+    }
+  }
+
+  public static async init(
+    historyId?: number,
+    dbTransaction?: any,
+  ): Promise<UserPasswordHistory> {
+    try {
+      if (historyId) {
+        const data = await UserPasswordHistory._Repo.findByPk(
+          historyId.toString(),
+          dbTransaction,
+        );
+        if (!data) {
+          throw new ClassError(
+            'UserPasswordHistory',
+            'UserPasswordHistoryErrMsg01',
+            'UserPasswordHistory not found',
+            'init',
+            400,
+          );
+        }
+
+        return new UserPasswordHistory(data.get({ plain: true }));
+      }
+      return new UserPasswordHistory();
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  public static async validate(
+    dbTransaction: any,
+    UserId: number,
+    Password: string,
+    passwordHashService: PasswordHashService,
+  ): Promise<void> {
+    // This method used to check if password entered is valid by checking previous password history
+    try {
+      // Part 1-2: Retrieve password history policy by using component config, call ComponentConfig. by passing:
+      // - ComponentName: "@tomei/sso"
+      // - ConfigKey: "passwordHistory"
+      // If no password history set, use default value 3
+
+      const passwordHistoryPolicy =
+        ComponentConfig.getComponentConfigValue(
+          '@tomei/sso',
+          'passwordHistory',
+        ) || 3;
+
+      // Part 3-4: Retrieve records from the table by using  class._repo findAll() by passing:
+      // where: { UserId: params.UserId }
+      // order: [['CreatedAt', 'DESC']]
+      // limit: passwordHistory count above.
+      // If no record found, return null.
+
+      let passwordHistory = await UserPasswordHistory._Repo.findAll({
+        where: { UserId: UserId },
+        order: [['CreatedAt', 'DESC']],
+        limit: passwordHistoryPolicy,
+        transaction: dbTransaction,
+      });
+
+      if (passwordHistory?.length < 1) {
+        return null;
+      } else {
+        // Part 5: If record found, map each record to compare params.Password and record.PasswordHash using the params.passwordHashService. If match, stop the mapping, and return ClassError:
+        // ClassName: "UserPasswordHistory"
+        // MethodName: "validate"
+        // MessageCode: "UserPasswordHistory01"
+        // Message: You cannot reuse your last ${passwordHistory} passwords. Please choose a new and unique password.
+        for (let index = 0; index < passwordHistory.length; index++) {
+          const isPasswordSame = await passwordHashService.verify(
+            Password,
+            passwordHistory[index].PasswordHash,
+          );
+
+          if (isPasswordSame) {
+            throw new ClassError(
+              'UserPasswordHistory',
+              'UserPasswordHistory01',
+              `You cannot reuse your last ${passwordHistoryPolicy} passwords. Please choose a new and unique password.`,
+              'validate',
+              403,
+            );
+          }
+        }
+      }
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  public static async create(
+    dbTransaction: any,
+    UserId: number,
+    PasswordHash: string,
+  ): Promise<void> {
+    // This method used to check if password entered is valid by checking previous password history
+    try {
+      // Part 1-2: Retrieve password history policy by using component config, call ComponentConfig. by passing:
+      // - ComponentName: "@tomei/sso"
+      // - ConfigKey: "passwordHistory"
+      // If no password history set, use default value 3
+
+      const passwordHistoryPolicy =
+        ComponentConfig.getComponentConfigValue(
+          '@tomei/sso',
+          'passwordHistory',
+        ) || 3;
+
+      // Part 3: Insert new password history by calling class _repo create() method.
+      let passwordHistory = await UserPasswordHistory._Repo.create(
+        {
+          UserId: UserId,
+          PasswordHash: PasswordHash,
+        },
+        {
+          transaction: dbTransaction,
+        },
+      );
+
+      // Part 3: When inserted successfully, retrieve all the password history for the user to check
+      // how many previous password records. If records more than the passwordHistory count from
+      // config. Remove the oldest record.
+      if (passwordHistory) {
+        let passwordHistoryList = await UserPasswordHistory._Repo.findAll({
+          where: { UserId: UserId },
+          order: [['CreatedAt', 'DESC']],
+          transaction: dbTransaction,
+        });
+
+        if (passwordHistoryList.length > passwordHistoryPolicy) {
+          let deleteList = passwordHistoryList.slice(passwordHistoryPolicy);
+          let historyIdList = deleteList.map((record) => record.HistoryId);
+          await UserPasswordHistory._Repo.destroyMultiple(
+            historyIdList,
+            dbTransaction,
+          );
+        }
+      }
+    } catch (error) {
+      throw error;
+    }
+  }
+}

package/src/interfaces/user-password-history.interface.ts

@@ -0,0 +1,6 @@
+export interface IUserPasswordHistoryAttr {
+  HistoryId: number;
+  UserId: number;
+  PasswordHash: string;
+  CreatedAt: Date;
+}

package/src/models/user-password-history.ts

@@ -0,0 +1,52 @@
+import {
+  BelongsTo,
+  Column,
+  CreatedAt,
+  DataType,
+  ForeignKey,
+  Model,
+  Table,
+} from 'sequelize-typescript';
+import User from './user.entity';
+import { IUserPasswordHistoryAttr } from '../interfaces/user-password-history.interface';
+
+@Table({
+  tableName: 'sso_UserPasswordHistory',
+  timestamps: true,
+  createdAt: 'CreatedAt',
+  updatedAt: 'UpdatedAt',
+})
+export default class UserPasswordHistoryModel
+  extends Model
+  implements IUserPasswordHistoryAttr
+{
+  @Column({
+    primaryKey: true,
+    allowNull: false,
+    type: DataType.INTEGER,
+    autoIncrement: true,
+  })
+  HistoryId: number;
+
+  @ForeignKey(() => User)
+  @Column({
+    allowNull: false,
+    type: DataType.INTEGER,
+  })
+  UserId: number;
+
+  @Column({
+    allowNull: false,
+    type: DataType.STRING(225),
+  })
+  PasswordHash: string;
+
+  @CreatedAt
+  CreatedAt: Date;
+
+  @BelongsTo(() => User, {
+    as: 'User',
+    foreignKey: 'UserId',
+  })
+  User: User;
+}