adapt-authoring-auth-local 0.0.1

package/.eslintignore

@@ -0,0 +1 @@
+node_modules

package/.eslintrc

@@ -0,0 +1,14 @@
+{
+  "env": {
+      "browser": false,
+      "node": true,
+      "commonjs": false,
+      "es2020": true
+  },
+  "extends": [
+      "standard"
+  ],
+  "parserOptions": {
+      "ecmaVersion": 2020
+  }
+}

package/.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,55 @@
+name: Bug Report
+description: File a bug report
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: textarea
+    id: description
+    attributes:
+      label: What happened?
+      description: Please describe the issue
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behaviour
+      description: Tell us what should have happened
+  - type: textarea
+    id: repro-steps
+    attributes:
+      label: Steps to reproduce
+      description: Tell us how to reproduce the issue
+    validations:
+      required: true
+  - type: input
+    id: aat-version
+    attributes:
+      label: Authoring tool version
+      description: What version of the Adapt authoring tool are you running?
+    validations:
+      required: true
+  - type: input
+    id: fw-version
+    attributes:
+      label: Framework version
+      description: What version of the Adapt framework are you running?
+  - type: dropdown
+    id: browsers
+    attributes:
+      label: What browsers are you seeing the problem on?
+      multiple: true
+      options:
+        - Firefox
+        - Chrome
+        - Safari
+        - Microsoft Edge
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
+      render: sh

package/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: false

package/.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,22 @@
+name: Feature request
+description: Request a new feature
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to request a new feature in the Adapt authoring tool! The Adapt team will consider all new feature requests, but unfortunately cannot commit to every one.
+  - type: textarea
+    id: description
+    attributes:
+      label: Feature description
+      description: Please describe your feature request
+    validations:
+      required: true
+  - type: checkboxes
+    id: contribute
+    attributes:
+      label: Can you work on this feature?
+      description: If you are able to commit your own time to work on this feature, it will greatly increase the liklihood of it being implemented by the core dev team. Otherwise, it will be triaged and prioritised alongside the core team's current priorities.
+      options:
+        - label: I can contribute

package/.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "npm" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

package/.github/pull_request_template.md

@@ -0,0 +1,25 @@
+[//]: # (Please title your PR according to eslint commit conventions)
+[//]: # (See https://github.com/conventional-changelog/conventional-changelog/tree/master/packages/conventional-changelog-eslint#eslint-convention for details)
+
+[//]: # (Add a link to the original issue)
+
+[//]: # (Delete as appropriate)
+### Fix
+* A sentence describing each fix
+
+### Update
+* A sentence describing each udpate
+
+### New
+* A sentence describing each new feature
+
+### Breaking
+* A sentence describing each breaking change
+
+[//]: # (List appropriate steps for testing if needed)
+### Testing
+1. Steps for testing
+
+[//]: # (Mention any other dependencies)
+
+

package/.github/workflows/labelled_prs.yml

@@ -0,0 +1,16 @@
+name: Add labelled PRs to project
+
+on:
+  pull_request:
+    types: [ labeled ]
+
+jobs:
+  add-to-project:
+    if: ${{ github.event.label.name == 'dependencies' }}
+    name: Add to main project
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/add-to-project@v0.1.0
+        with:
+          project-url: https://github.com/orgs/adapt-security/projects/5
+          github-token: ${{ secrets.PROJECTS_SECRET }}

package/.github/workflows/new.yml

@@ -0,0 +1,19 @@
+name: Add to main project
+
+on:
+  issues:
+    types:
+      - opened
+  pull_request:
+    types:
+      - opened
+
+jobs:
+  add-to-project:
+    name: Add to main project
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/add-to-project@v0.1.0
+        with:
+          project-url: https://github.com/orgs/adapt-security/projects/5
+          github-token: ${{ secrets.PROJECTS_SECRET }}

package/adapt-authoring.json

@@ -0,0 +1,5 @@
+{
+  "documentation": {
+    "enable": true
+  }
+}

package/conf/config.schema.json

@@ -0,0 +1,84 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "type": "object",
+  "properties": {
+    "saltRounds": {
+      "description": "The number of rounds performed when generating a password hash",
+      "type": "number",
+      "default": 10
+    },
+    "failsUntilTemporaryLock": {
+      "description": "The number of failed login attempts allowed before the account is locked for a short period of time",
+      "type": "number",
+      "default": 5
+    },
+    "failsUntilPermanentLock": {
+      "description": "The number of failed login attempts allowed before the account is permanently locked",
+      "type": "number",
+      "default": 20
+    },
+    "temporaryLockDuration": {
+      "description": "The amount of time a locked user must wait before attempting to log in again",
+      "type": "string",
+      "isTimeMs": true,
+      "default": "1m"
+    },
+    "resetTokenLifespan": {
+      "description": "The amount of time a password reset token remains valid for",
+      "type": "string",
+      "isTimeMs": true,
+      "default": "24h"
+    },
+    "inviteTokenLifespan": {
+      "description": "The amount of time an invite password reset token remains valid for",
+      "type": "string",
+      "isTimeMs": true,
+      "default": "7d"
+    },
+    "minPasswordLength": {
+      "description": "Minimum password length",
+      "type": "number",
+      "default": 8,
+      "_adapt": {
+        "isPublic": true
+      }
+    },
+    "passwordMustHaveNumber": {
+      "description": "Whether the password must contain at least one number",
+      "type": "boolean",
+      "default": false,
+      "_adapt": {
+        "isPublic": true
+      }
+    },
+    "passwordMustHaveUppercase": {
+      "description": "Whether the password must contain at least one uppercase character",
+      "type": "boolean",
+      "default": false,
+      "_adapt": {
+        "isPublic": true
+      }
+    },
+    "passwordMustHaveLowercase": {
+      "description": "Whether the password must contain at least one lowercase character",
+      "type": "boolean",
+      "default": false,
+      "_adapt": {
+        "isPublic": true
+      }
+    },
+    "passwordMustHaveSpecial": {
+      "description": "Whether the password must contain at least one special character",
+      "type": "boolean",
+      "default": false,
+      "_adapt": {
+        "isPublic": true
+      }
+    },
+    "blacklistedPasswordValues": {
+      "description": "Values which cannot be used in passwords",
+      "type": "array",
+      "default": []
+    }
+  }
+}

package/errors/errors.json

@@ -0,0 +1,59 @@
+{
+  "ACCOUNT_LOCKED_PERM": {
+    "description": "User account has been permanently locked",
+    "statusCode": 401
+  },
+  "ACCOUNT_LOCKED_TEMP": {
+    "data": {
+      "remaining": "The amount of time remaining before account is unlocked"
+    },
+    "description": "User account has been temporarily locked",
+    "statusCode": 401
+  },
+  "ACCOUNT_NOT_LOCALAUTHD": {
+    "description": "Specified account is not authenticated with local auth",
+    "statusCode": 400
+  },
+  "BLACKLISTED_PASSWORD_VALUE": {
+    "description": "Password contains a blacklisted value",
+    "statusCode": 400
+  },
+  "INCORRECT_PASSWORD": {
+    "description": "Provided password does not match that stored",
+    "statusCode": 401
+  },
+  "INVALID_PASSWORD": {
+    "data": {
+      "errors": "The validation errors"
+    },
+    "description": "Password failed validation",
+    "statusCode": 400
+  },
+  "INVALID_PASSWORD_LENGTH": {
+    "data": {
+      "length": "the minimum required number of characters"
+    },
+    "description": "Password must be at least the required number of characters",
+    "statusCode": 400
+  },
+  "INVALID_PASSWORD_UPPERCASE": {
+    "description": "Password must contain at least one uppercase character",
+    "statusCode": 400
+  },
+  "INVALID_PASSWORD_LOWERCASE": {
+    "description": "Password must contain at least one lowercase character",
+    "statusCode": 400
+  },
+  "INVALID_PASSWORD_NUMBER": {
+    "description": "Password must contain at least one number",
+    "statusCode": 400
+  },
+  "INVALID_PASSWORD_SPECIAL": {
+    "description": "Password must contain at least one special character (#?!@$%^&*-)",
+    "statusCode": 400
+  },
+  "SUPER_USER_EXISTS": {
+    "description": "A Super Admin account already exists",
+    "statusCode": 400
+  }
+}

package/index.js

@@ -0,0 +1,6 @@
+/**
+ * Local (username/password) authentication
+ * @namespace localauth
+ */
+export { default } from './lib/LocalAuthModule.js'
+export { default as PasswordUtils } from './lib/PasswordUtils.js'

package/lib/LocalAuthModule.js

@@ -0,0 +1,331 @@
+import _ from 'lodash'
+import { AbstractAuthModule } from 'adapt-authoring-auth'
+import apidefs from './apidefs.js'
+import { formatDistanceToNowStrict as toNow } from 'date-fns'
+import PasswordUtils from './PasswordUtils.js'
+/**
+ * Module which implements username/password (local) authentication
+ * @memberof localauth
+ * @extends {AbstractAuthModule}
+ */
+class LocalAuthModule extends AbstractAuthModule {
+  /**
+   * Returns a human-readable string to denote how many seconds are remaining
+   * @param {Number} secs The remaining seconds
+   */
+  static formatRemainingTime (secs) {
+    return toNow(Date.now() + (secs * 1000))
+  }
+
+  /** @override */
+  async setValues () {
+    /** @ignore */ this.userSchema = 'localauthuser'
+    /** @ignore */ this.type = 'local'
+    /** @ignore */ this.routes = [
+      {
+        route: '/invite',
+        handlers: { post: this.inviteHandler.bind(this) },
+        meta: apidefs.invite
+      }, {
+        route: '/registersuper',
+        internal: true,
+        handlers: { post: this.registerSuperHandler.bind(this) },
+        meta: apidefs.registersuper
+      }, {
+        route: '/changepass',
+        handlers: { post: this.changePasswordHandler.bind(this) },
+        meta: apidefs.changepass
+      }, {
+        route: '/forgotpass',
+        handlers: { post: this.forgotPasswordHandler.bind(this) },
+        meta: apidefs.forgotpass
+      }, {
+        route: '/validatepass',
+        handlers: { post: this.validatePasswordHandler.bind(this) },
+        meta: apidefs.validatepass
+      }
+    ]
+  }
+
+  /** @override */
+  async init () {
+    await super.init()
+    this.secureRoute('/invite', 'post', ['register:users'])
+    this.secureRoute('/validatepass', 'post', ['read:me'])
+    this.unsecureRoute('/registersuper', 'post')
+    this.unsecureRoute('/changepass', 'post')
+    this.unsecureRoute('/forgotpass', 'post')
+    // add API metadata
+    this.router.routes.find(r => r.route === '/').meta = apidefs.root
+    this.router.routes.find(r => r.route === '/register').meta = apidefs.register
+
+    const users = await this.app.waitForModule('users')
+    /**
+     * Local reference to the current UsersModule instance for convenience
+     * @type {UsersModule}
+     */
+    this.users = users
+  }
+
+  /** @override */
+  async authenticate (user, req, res) {
+    if (!req.body.password) {
+      throw this.app.errors.INVALID_LOGIN_DETAILS
+    }
+    const isTempLockTimeout = user.isTempLocked && (new Date(user.lastFailedLoginAttempt).getTime() + this.getConfig('temporaryLockDuration') - Date.now()) > 0
+    let failedLoginAttempts = user.failedLoginAttempts
+    let lastFailedLoginAttempt
+    let error
+    try {
+      await PasswordUtils.compare(req.body.password, user.password)
+    } catch (e) {
+      if (!user.isPermLocked && !isTempLockTimeout) { // only update failed login data when account isn't locked
+        failedLoginAttempts += 1
+        lastFailedLoginAttempt = new Date().toISOString()
+      }
+      error = e
+    }
+    const isPermLocked = user.isPermLocked || failedLoginAttempts >= this.getConfig('failsUntilPermanentLock')
+    const isTempLocked = isTempLockTimeout || (failedLoginAttempts > 0 && (failedLoginAttempts % this.getConfig('failsUntilTemporaryLock') === 0))
+
+    if (!error && !isPermLocked && !isTempLocked) {
+      failedLoginAttempts = 0
+    }
+    if (user) {
+      await this.updateUser(user._id, { isPermLocked, isTempLocked, lastFailedLoginAttempt, failedLoginAttempts })
+    }
+    if (isPermLocked) throw this.app.errors.ACCOUNT_LOCKED_PERM
+    if (isTempLocked) throw this.app.errors.ACCOUNT_LOCKED_TEMP
+    if (error) throw error
+  }
+
+  /**
+   * Checks if the user account is currently locked, and unlocks a temporarily locked account if appropriate
+   * @param {external:ExpressRequest} req
+   * @param {Object} user The current user
+   */
+  async handleLockStatus (user) {
+    const tempLockEndTime = new Date(user.lastFailedLoginAttempt).getTime() + this.getConfig('temporaryLockDuration') * 1000
+    const tempLockRemainingSecs = Math.round((tempLockEndTime - Date.now()) / 1000)
+
+    if (user.isPermLocked) {
+      throw this.app.errors.ACCOUNT_LOCKED_PERM
+    }
+    if (user.isTempLocked) {
+      if (tempLockRemainingSecs > 0) {
+        throw this.app.errors.ACCOUNT_LOCKED_TEMP
+          .setData({ remaining: LocalAuthModule.formatRemainingTime(tempLockRemainingSecs) })
+      }
+      await this.updateUser(user._id, { isTempLocked: false })
+    }
+  }
+
+  /** @override */
+  async register (data) {
+    await PasswordUtils.validate(data.password)
+    return super.register({ ...data, password: await PasswordUtils.generate(data.password) })
+  }
+
+  /**
+   * Register a new super user
+   * @param {Object} data
+   */
+  async registerSuper (data) {
+    const [roles, users] = await this.app.waitForModule('roles', 'users')
+    const [superRole] = await roles.find({ shortName: 'superuser' })
+    const superUsers = await users.find({ roles: [superRole._id] })
+    if (superUsers.length) {
+      throw this.app.errors.SUPER_USER_EXISTS
+    }
+    await this.register({
+      email: data.email,
+      password: data.password,
+      firstName: 'Super',
+      lastName: 'User',
+      roles: [superRole._id.toString()]
+    })
+  }
+
+  /** @override */
+  async setUserEnabled (user, isEnabled) {
+    await super.setUserEnabled(user, isEnabled)
+    await this.users.update({ _id: user._id }, {
+      failedLoginAttempts: isEnabled ? 0 : user.failedAttempts,
+      isPermLocked: !isEnabled,
+      isTempLocked: !isEnabled
+    }, {
+      schemaName: this.userSchema
+    })
+  }
+
+  /**
+   * Updates a single user
+   * @param {external:ExpressRequest} req
+   * @param {String|ObjectId|Object} userIdOrQuery Accepts a user _id or a query object
+   * @param {Object} updateData JSON data to use for update
+   * @return {Promise}
+   */
+  async updateUser (userIdOrQuery, updateData) {
+    const isId = _.isString(userIdOrQuery) || (userIdOrQuery.constructor && userIdOrQuery.constructor.name === 'ObjectId')
+    const query = isId ? { _id: userIdOrQuery } : userIdOrQuery
+
+    if (!Object.prototype.hasOwnProperty.call(updateData, 'password')) {
+      return this.users.update(query, updateData, { schemaName: this.userSchema, useDefaults: false, ignoreRequired: true })
+    }
+    await PasswordUtils.validate(updateData.password)
+    updateData.password = await PasswordUtils.generate(updateData.password)
+    // password updates required special process
+    const [mailer, mongodb] = await this.app.waitForModule('mailer', 'mongodb')
+    const user = await mongodb.update(this.users.collectionName, query, { $set: updateData })
+
+    await this.disavowUser({ userId: user._id, authType: this.type })
+
+    const subject = this.app.lang.translate(undefined, 'app.updateusersubject')
+    const text = this.app.lang.translate(undefined, 'app.updateusertext')
+    const html = this.app.lang.translate(undefined, 'app.updateuserhtml')
+    try {
+      if(mailer.isEnabled) await mailer.send({ to: user.email, subject, text, html })
+    } catch(e) {
+      this.log('error', e)
+    }
+
+    return user
+  }
+
+  /**
+   * Creates a new password reset token and sends an email
+   * @param {String} email
+   * @param {String} subject
+   * @param {String} textContent
+   * @param {String} htmlContent
+   * @param {Number} lifespan The lifespan of the reset
+   */
+  async createPasswordReset (email, subject, textContent, htmlContent, lifespan) {
+    if (!email) {
+      throw this.app.errors.INVALID_PARAMS.setData({ params: ['email'] })
+    }
+    try {
+      const [mailer, server] = await this.app.waitForModule('mailer', 'server')
+      const token = await PasswordUtils.createReset(email, lifespan)
+      const url = `${server.root.url}#user/reset?token=${token}&email=${email}`
+      await mailer.send({
+        to: email,
+        subject,
+        text: textContent.replace(/{{url}}/g, url),
+        html: htmlContent.replace(/{{url}}/g, url)
+      })
+    } catch (e) {
+      this.log('error', `Failed to create user password reset, ${e}`)
+      throw e
+    }
+  }
+
+  /**
+   * Handles inviting a new user to the system
+   * @param {external:ExpressRequest} req
+   * @param {external:ExpressResponse} res
+   * @param {Function} next
+   */
+  async inviteHandler (req, res, next) {
+    try {
+      const { email } = req.body
+      const subject = req.translate('app.invitepasswordsubject')
+      const text = req.translate('app.invitepasswordtext')
+      const html = req.translate('app.invitepasswordhtml')
+      await this.createPasswordReset(email, subject, text, html, this.getConfig('inviteTokenLifespan'))
+      this.log('debug', 'INVITE_SENT', email, req?.auth?.user?._id?.toString())
+    } catch (e) {
+      return next(e)
+    }
+    res.sendStatus(204)
+  }
+
+  /**
+   * Registers a Super User. This is restricted to localhost, and can only be used to create the first Super User.
+   * @param {external:ExpressRequest} req
+   * @param {external:ExpressResponse} res
+   * @param {Function} next
+   */
+  async registerSuperHandler (req, res, next) {
+    try {
+      await this.registerSuper(req.body)
+      res.sendStatus(204)
+    } catch (e) {
+      next(e)
+    }
+  }
+
+  /**
+   * Handles sending a user password reset
+   * @param {external:ExpressRequest} req
+   * @param {external:ExpressResponse} res
+   * @param {Function} next
+   */
+  async forgotPasswordHandler (req, res, next) {
+    try {
+      const { email } = req.body
+      const subject = req.translate('app.forgotpasswordsubject')
+      const text = req.translate('app.forgotpasswordtext')
+      const html = req.translate('app.forgotpasswordhtml')
+      await this.createPasswordReset(email, subject, text, html)
+      this.log('debug', 'RESET_SENT', email, req?.auth?.user?._id?.toString())
+    } catch (e) { // don't return an error to avoid signifying correct user/pass combinations
+      this.log('error', 'RESET_PASS_FAILED', e)
+    }
+    res.status(200).json({ message: req.translate('app.forgotpasswordmessage') })
+  }
+
+  /**
+   * Handles changing a user password. If no auth is given, a reset token must be present
+   * @param {external:ExpressRequest} req
+   * @param {external:ExpressResponse} res
+   * @param {Function} next
+   */
+  async changePasswordHandler (req, res, next) {
+    let email
+    try {
+      if (req.auth.token) { // already authenticated, so can use auth data
+        if (req.auth.token.type !== this.type) throw new Error()
+        // allow for a specific email to be passed via body, falling back to the email from the auth data
+        email = req.body.email || req.auth.user.email
+        // validate the existing password for security
+        const [user] = await this.users.find({ email });
+        await PasswordUtils.compare(req.body.oldPassword, user.password);
+      } else { // no authenticated, so should expect body data
+        const tokenData = await PasswordUtils.validateReset(req.body.token)
+        email = tokenData.email
+      }
+      if (!email) throw new Error()
+
+      const { _id } = await this.updateUser({ email }, { password: req.body.password })
+
+      if (!req.auth.token) {
+        await PasswordUtils.deleteReset(req.body.token)
+      }
+      await this.disavowUser({ userId: _id, signature: req.auth?.token?.signature })
+      this.log('debug', 'CHANGE_PASS', _id, req?.auth?.user?._id?.toString())
+      res.status(204).end()
+    } catch (e) {
+      if (email) this.log('debug', 'CHANGE_PASS_FAILED', email)
+      return next(e)
+    }
+  }
+
+  /**
+   * Handles changing a user password. If no auth is given, a reset token must be present
+   * @param {external:ExpressRequest} req
+   * @param {external:ExpressResponse} res
+   * @param {Function} next
+   */
+  async validatePasswordHandler (req, res, next) {
+    try {
+      await PasswordUtils.validate(req.body.password)
+      res.json({ message: req.translate('app.passwordindicatorstrong') })
+    } catch (e) {
+      e.data.errors = e.data.errors.map(req.translate).join(', ')
+      res.sendError(e)
+    }
+  }
+}
+
+export default LocalAuthModule

package/lib/PasswordUtils.js

@@ -0,0 +1,173 @@
+import { App } from 'adapt-authoring-core'
+import bcrypt from 'bcryptjs'
+import crypto from 'crypto'
+import { promisify } from 'util'
+
+/** @ignore */ const passwordResetsCollectionName = 'passwordresets'
+/**
+ * Various utilities related to password functionality
+ * @memberof localauth
+ */
+class PasswordUtils {
+  /**
+   * Retrieves a localauth config item
+   * @return {Promise}
+   */
+  static async getConfig (...keys) {
+    const authlocal = await App.instance.waitForModule('auth-local')
+
+    if (keys.length === 1) {
+      return authlocal.getConfig(keys[0])
+    }
+    return keys.reduce((m, k) => {
+      m[k] = authlocal.getConfig(k)
+      return m
+    }, {})
+  }
+
+  /**
+   * Compares a plain password to a hash
+   * @param {String} plainPassword
+   * @param {String} hash
+   * @return {Promise}
+   */
+  static async compare (plainPassword, hash) {
+    const error = App.instance.errors.INVALID_LOGIN_DETAILS
+    if (!plainPassword || !hash) {
+      throw error.setData({
+        error: App.instance.errors.INVALID_PARAMS.setData({ params: ['plainPassword', 'hash'] })
+      })
+    }
+    try {
+      const isValid = await promisify(bcrypt.compare)(plainPassword, hash)
+      if (!isValid) throw new Error()
+    } catch (e) {
+      throw error.setData({ error: App.instance.errors.INCORRECT_PASSWORD })
+    }
+  }
+
+  /**
+   * Validates a password against the stored config settings
+   * @param {String} password Password to validate
+   * @returns {Promise} Resolves if the password passes the validation
+   */
+  static async validate (password) {
+    const authlocal = await App.instance.waitForModule('auth-local')
+    if (typeof password !== 'string') {
+      throw App.instance.errors.INVALID_PARAMS.setData({ params: ['password'] })
+    }
+    const blacklisted = authlocal.getConfig('blacklistedPasswordValues')
+    const match = (key, re) => !authlocal.getConfig(key) || password.search(re) > -1
+    const validationChecks = {
+      INVALID_PASSWORD_LENGTH: [password.length >= authlocal.getConfig('minPasswordLength'), { length: authlocal.getConfig('minPasswordLength') }],
+      INVALID_PASSWORD_NUMBER: [match('passwordMustHaveNumber', /[0-9]/)],
+      INVALID_PASSWORD_UPPERCASE: [match('passwordMustHaveUppercase', /[A-Z]/)],
+      INVALID_PASSWORD_LOWERCASE: [match('passwordMustHaveLowercase', /[a-z]/)],
+      INVALID_PASSWORD_SPECIAL: [match('passwordMustHaveSpecial', /[#?!@$%^&*-]/)],
+      BLACKLISTED_PASSWORD_VALUE: [blacklisted.length === 0 || blacklisted.some(p => !(password.includes(p)))]
+    }
+    const errors = Object.entries(validationChecks).reduce((m, [code, [isValid, data]]) => {
+      if (!isValid) m.push(App.instance.errors[code].setData(data))
+      return m
+    }, [])
+    if (errors.length) throw App.instance.errors.INVALID_PASSWORD.setData({ errors })
+  }
+
+  /**
+   * Generates a secure hash from a plain-text password
+   * @param {String} plainPassword
+   * @return {Promise} Resolves with the hash
+   */
+  static async generate (plainPassword) {
+    if (!plainPassword) {
+      throw App.instance.errors.INVALID_PARAMS.setData({ params: ['plainPassword'] })
+    }
+    const jsonschema = await App.instance.waitForModule('jsonschema')
+    const schema = await jsonschema.getSchema('localpassword')
+    await schema.validate({ password: plainPassword })
+
+    const saltRounds = await PasswordUtils.getConfig('saltRounds')
+    const salt = await promisify(bcrypt.genSalt)(saltRounds)
+
+    return promisify(bcrypt.hash)(plainPassword, salt)
+  }
+
+  /**
+   * Creates a password reset token
+   * @param {String} email The user's email address
+   * @param {Number} lifespan The intended token lifespan in milliseconds
+   * @return {Promise} Resolves with the token value
+   */
+  static async createReset (email, lifespan) {
+    const [mongodb, users] = await App.instance.waitForModule('mongodb', 'users')
+    const [user] = await users.find({ email })
+    if (!user) {
+      throw App.instance.errors.NOT_FOUND
+        .setData({ type: 'user', id: email })
+    }
+    if (user.authType !== 'local') {
+      const authlocal = await App.instance.waitForModule('auth-local')
+      authlocal.log('error', `Failed to reset ${user._id} password, not authenticated with local auth`)
+      throw App.instance.errors.ACCOUNT_NOT_LOCALAUTHD
+    }
+    // invalidate any previous tokens for this user
+    await mongodb.getCollection(passwordResetsCollectionName).deleteMany({ email })
+
+    if (!lifespan) {
+      lifespan = await this.getConfig('resetTokenLifespan')
+    }
+    const { token } = await mongodb.insert(passwordResetsCollectionName, {
+      email,
+      expiresAt: new Date(Date.now() + lifespan).toISOString(),
+      token: await this.getRandomHex()
+    })
+    return token
+  }
+
+  /**
+   * Deletes a stored password reset token
+   * @param {String} token The token value
+   * @return {Promise}
+   */
+  static async deleteReset (token) {
+    const mongodb = await App.instance.waitForModule('mongodb')
+    return mongodb.delete(passwordResetsCollectionName, { token })
+  }
+
+  /**
+   * Creates a random hex string
+   * @param {Number} size Size of string
+   * @return {Promise} Resolves with the string value
+   */
+  static async getRandomHex (size = 32) {
+    const buffer = await promisify(crypto.randomBytes)(size)
+    return buffer.toString('hex')
+  }
+
+  /**
+   * Validates a password reset token
+   * @param {String} token The password reset token
+   * @return {Promise} Rejects on invalid token
+   */
+  static async validateReset (token) {
+    if (!token) {
+      throw App.instance.errors.INVALID_PARAMS.setData({ params: ['token'] })
+    }
+    const [mongodb, users] = await App.instance.waitForModule('mongodb', 'users')
+    const [tokenData] = await mongodb.find(passwordResetsCollectionName, { token })
+    if (!tokenData) {
+      throw App.instance.errors.AUTH_TOKEN_INVALID
+    }
+    if (new Date(tokenData.expiresAt) < new Date()) {
+      throw App.instance.errors.AUTH_TOKEN_EXPIRED
+    }
+    const [user] = await users.find({ email: tokenData.email })
+    if (!user) {
+      throw App.instance.errors.NOT_FOUND
+        .setData({ type: 'user', id: token.email })
+    }
+    return tokenData
+  }
+}
+
+export default PasswordUtils

package/lib/apidefs.js

@@ -0,0 +1,195 @@
+export default {
+  changepass: {
+    post: {
+      summary: 'Change the password of a user',
+      description: 'Can be used with or without authentication. If authenticated, an email/password combination will be acepted. If unauthenticated, a valid reset token and password must be specified.',
+      requestBody: {
+        content: {
+          'application/json': {
+            schema: {
+              $schema: 'https://json-schema.org/draft/2020-12/schema',
+              type: 'object',
+              properties: {
+                email: { type: 'string' },
+                password: { type: 'string' },
+                token: { type: 'string' }
+              }
+            }
+          }
+        }
+      },
+      responses: { 204: {} }
+    }
+  },
+  forgotpass: {
+    post: {
+      summary: 'Trigger a password reset',
+      description: 'Generates a password reset and emails this to the user with instructions on updating their password.',
+      requestBody: {
+        content: {
+          'application/json': {
+            schema: {
+              $schema: 'https://json-schema.org/draft/2020-12/schema',
+              type: 'object',
+              properties: {
+                email: { type: 'string' }
+              }
+            }
+          }
+        }
+      },
+      responses: {
+        200: {
+          content: {
+            'application/json': {
+              schema: {
+                $schema: 'https://json-schema.org/draft/2020-12/schema',
+                type: 'object',
+                properties: {
+                  message: { type: 'string' }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  },
+  invite: {
+    post: {
+      summary: 'Invite a new user',
+      requestBody: {
+        content: {
+          'application/json': {
+            schema: {
+              $schema: 'https://json-schema.org/draft/2020-12/schema',
+              type: 'object',
+              properties: {
+                email: { type: 'string' }
+              }
+            }
+          }
+        }
+      },
+      responses: { 204: {} }
+    }
+  },
+  register: {
+    post: {
+      summary: 'Register a new user',
+      requestBody: {
+        content: {
+          'application/json': {
+            schema: {
+              $schema: 'https://json-schema.org/draft/2020-12/schema',
+              type: 'object',
+              properties: {
+                email: { type: 'string', required: true },
+                firstName: { type: 'string', required: true },
+                lastName: { type: 'string', required: true },
+                password: { type: 'string', required: true },
+                roles: {
+                  type: 'array',
+                  items: { type: 'string' }
+                }
+              }
+            }
+          }
+        }
+      },
+      responses: {
+        200: {
+          content: {
+            'application/json': {
+              schema: { $ref: '#components/schemas/localauthuser' }
+            }
+          }
+        }
+      }
+    }
+  },
+  registersuper: {
+    post: {
+      summary: 'Register a new super user',
+      description: 'Only one user can be registered in this way, and if a super user already exists the request will fail.',
+      requestBody: {
+        content: {
+          'application/json': {
+            schema: {
+              $schema: 'https://json-schema.org/draft/2020-12/schema',
+              type: 'object',
+              properties: {
+                email: { type: 'string', required: true },
+                password: { type: 'string', required: true }
+              }
+            }
+          }
+        }
+      },
+      responses: {
+        200: {
+          content: {
+            'application/json': {
+              schema: { $ref: '#components/schemas/localauthuser' }
+            }
+          }
+        }
+      }
+    }
+  },
+  root: {
+    post: {
+      summary: 'Authenticate with the API',
+      requestBody: {
+        content: {
+          'application/json': {
+            schema: {
+              $schema: 'https://json-schema.org/draft/2020-12/schema',
+              type: 'object',
+              properties: {
+                email: { type: 'string', required: true },
+                password: { type: 'string', required: true },
+                persistSession: { type: 'boolean' }
+              }
+            }
+          }
+        }
+      },
+      responses: { 204: {} }
+    }
+  },
+  validatepass: {
+    post: {
+      summary: 'Validate password',
+      description: 'Checks that a password passes the required complexity specified in the application\'s configuration settings.',
+      requestBody: {
+        content: {
+          'application/json': {
+            schema: {
+              $schema: 'https://json-schema.org/draft/2020-12/schema',
+              type: 'object',
+              properties: {
+                password: { type: 'string', required: true }
+              }
+            }
+          }
+        }
+      },
+      responses: {
+        200: {
+          content: {
+            'application/json': {
+              schema: {
+                $schema: 'https://json-schema.org/draft/2020-12/schema',
+                type: 'object',
+                properties: {
+                  message: { type: 'string' }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}

package/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "adapt-authoring-auth-local",
+  "version": "0.0.1",
+  "description": "Module which implements username/password (local) authentication",
+  "homepage": "https://github.com/adapt-security/adapt-authoring-auth-local",
+  "license": "GPL-3.0",
+  "type": "module",
+  "main": "index.js",
+  "repository": "github:adapt-security/adapt-authoring-auth-local",
+  "dependencies": {
+    "bcryptjs": "3.0.2",
+    "date-fns": "^4.1.0",
+    "lodash": "^4.17.21"
+  },
+  "peerDependencies": {
+    "adapt-authoring-auth": "github:adapt-security/adapt-authoring-auth",
+    "adapt-authoring-core": "github:adapt-security/adapt-authoring-core",
+    "adapt-authoring-sessions": "github:adapt-security/adapt-authoring-sessions"
+  },
+  "devDependencies": {
+    "eslint": "^9.11.0",
+    "standard": "^17.1.0"
+  }
+}

package/schema/localauthuser.schema.json

@@ -0,0 +1,42 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$anchor": "localauthuser",
+  "description": "Local authentication user",
+  "$merge": {
+    "source": { "$ref": "user" },
+    "with": {
+      "properties": {
+        "isTempLocked": {
+          "description": "Whether the user account has been temporarily locked",
+          "type": "boolean",
+          "default": false,
+          "isReadOnly": true
+        },
+        "isPermLocked": {
+          "description": "Whether the user account has been permanently locked",
+          "type": "boolean",
+          "default": false,
+          "isReadOnly": true
+        },
+        "password": {
+          "description": "Password for the user",
+          "type": "string",
+          "isInternal": true
+        },
+        "failedLoginAttempts": {
+          "description": "The number of failed login attempts",
+          "type": "number",
+          "default": 0
+        },
+        "lastFailedLoginAttempt": {
+          "description": "Timestamp of the last failed login attempt",
+          "type": "string",
+          "format": "date-time",
+          "isDate": true,
+          "isReadOnly": true
+        }
+      },
+      "required": ["password"]
+    }
+  }
+}

package/schema/localpassword.schema.json

@@ -0,0 +1,13 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$anchor": "localpassword",
+  "description": "Local authentication password",
+  "properties": {
+    "password": {
+      "description": "Password value",
+      "type": "string",
+      "password": "password"
+    }
+  },
+  "required": ["password"]
+}