fiber-firebase-functions 1.0.2 → 1.0.4

package/src/auth/update_password.ts

@@ -1,211 +0,0 @@
-/*
- * Copyright (C) 2025 Fiber
- *
- * All rights reserved. This script, including its code and logic, is the
- * exclusive property of Fiber. Redistribution, reproduction,
- * or modification of any part of this script is strictly prohibited
- * without prior written permission from Fiber.
- *
- * Conditions of use:
- * - The code may not be copied, duplicated, or used, in whole or in part,
- *   for any purpose without explicit authorization.
- * - Redistribution of this code, with or without modification, is not
- *   permitted unless expressly agreed upon by Fiber.
- * - The name "Fiber" and any associated branding, logos, or
- *   trademarks may not be used to endorse or promote derived products
- *   or services without prior written approval.
- *
- * Disclaimer:
- * THIS SCRIPT AND ITS CODE ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
- * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL
- * FIBER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO LOSS OF USE,
- * DATA, PROFITS, OR BUSINESS INTERRUPTION) ARISING OUT OF OR RELATED TO THE USE
- * OR INABILITY TO USE THIS SCRIPT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * Unauthorized copying or reproduction of this script, in whole or in part,
- * is a violation of applicable intellectual property laws and will result
- * in legal action.
- */
-
-import * as admin from "firebase-admin";
-import { RealtimeDatabase } from "../common/realtime_database";
-import { isRateLimited, RateLimitCheckStatus, RateLimitIdentifier, RateLimitRule, recordRateLimitHit } from "../middleware/rate_limiter";
-import { isUserDisabledById } from "./is_user_disabled";
-import { isUserExistsById } from "./is_user_exists";
-import { getUserByEmail, UserByEmailStatus } from "./user";
-
-if (admin.apps.length === 0) {
-    admin.initializeApp();
-}
-
-export enum ResetPasswordByEmailStatus {
-    MISSING_USER_EMAIL = "MISSING_USER_EMAIL",
-    MISSING_NEW_PASSWORD = "MISSING_NEW_PASSWORD",
-    MISSING_CONFIRM_NEW_PASSWORD = "MISSING_CONFIRM_NEW_PASSWORD",
-    MISSING_PASSWORD_POLICY = "MISSING_PASSWORD_POLICY",
-    NOT_IDENTICAL_CONFIRM_PASSWORD = "NOT_IDENTICAL_CONFIRM_PASSWORD",
-    USER_NOT_FOUND = "USER_NOT_FOUND",
-    USER_DISABLED = "USER_DISABLED",
-    WEAK_NEW_PASSWORD = "WEAK_NEW_PASSWORD",
-    MISSING_PASSWORD_UPPERCASE = "MISSING_PASSWORD_UPPERCASE",
-    MISSING_PASSWORD_LOWERCASE = "MISSING_PASSWORD_LOWERCASE",
-    MISSING_PASSWORD_DIGIT = "MISSING_PASSWORD_DIGIT",
-    MISSING_PASSWORD_SPECIAL_CHAR = "MISSING_PASSWORD_SPECIAL_CHAR",
-    TOO_MANY_REQUEST = "TOO_MANY_REQUEST",
-    SUCCESS = "SUCCESS",
-    INTERNAL_ERROR = "INTERNAL_ERROR",
-}
-
-export enum ResetPasswordByIdStatus {
-    MISSING_USER_EMAIL = "MISSING_USER_EMAIL",
-    MISSING_NEW_PASSWORD = "MISSING_NEW_PASSWORD",
-    MISSING_CONFIRM_NEW_PASSWORD = "MISSING_CONFIRM_NEW_PASSWORD",
-    MISSING_PASSWORD_POLICY = "MISSING_PASSWORD_POLICY",
-    NOT_IDENTICAL_CONFIRM_PASSWORD = "NOT_IDENTICAL_CONFIRM_PASSWORD",
-    USER_NOT_FOUND = "USER_NOT_FOUND",
-    USER_DISABLED = "USER_DISABLED",
-    WEAK_NEW_PASSWORD = "WEAK_NEW_PASSWORD",
-    MISSING_PASSWORD_UPPERCASE = "MISSING_PASSWORD_UPPERCASE",
-    MISSING_PASSWORD_LOWERCASE = "MISSING_PASSWORD_LOWERCASE",
-    MISSING_PASSWORD_DIGIT = "MISSING_PASSWORD_DIGIT",
-    MISSING_PASSWORD_SPECIAL_CHAR = "MISSING_PASSWORD_SPECIAL_CHAR",
-    TOO_MANY_REQUEST = "TOO_MANY_REQUEST",
-    SUCCESS = "SUCCESS",
-    INTERNAL_ERROR = "INTERNAL_ERROR",
-}
-
-export interface PasswordPolicy {
-    minLength: number;
-    requireUppercase: boolean;
-    requireLowercase: boolean;
-    requireDigit: boolean;
-    requireSpecial: boolean;
-}
-
-export interface ResetPassword {
-    newPassword: string;
-    confirmNewPassword: string;
-    passwordPolicy: PasswordPolicy;
-}
-
-export async function resetPasswordByEmail(email: string, password: ResetPassword, databaseConfig: RealtimeDatabase): Promise<ResetPasswordByEmailStatus> {
-    email = email.trim();
-
-    if (!email) return ResetPasswordByEmailStatus.MISSING_USER_EMAIL;
-
-    const newPassword = password.newPassword.trim();
-    const confirmNewPassword = password.confirmNewPassword.trim();
-
-    if (!newPassword || newPassword === "") return ResetPasswordByEmailStatus.MISSING_NEW_PASSWORD;
-    if (!confirmNewPassword || confirmNewPassword === "") return ResetPasswordByEmailStatus.MISSING_CONFIRM_NEW_PASSWORD;
-
-    const passwordPolicy = password.passwordPolicy;
-
-    if (!passwordPolicy) return ResetPasswordByEmailStatus.MISSING_PASSWORD_POLICY;
-
-    const userResult = await getUserByEmail(email);
-    const user = userResult.user;
-
-    if (userResult.status !== UserByEmailStatus.FOUND || user === undefined) return ResetPasswordByEmailStatus.USER_NOT_FOUND;
-
-    const identifier: RateLimitIdentifier = {
-        id: user.uid,
-        target: "reset_password"
-    };
-
-    const rule: RateLimitRule = {
-        ttl: 2 * 60 * 1000,
-        windowMs: 3 * 60 * 1000,
-        maxHits: 5,
-    };
-
-    if (await isRateLimited(identifier, rule, databaseConfig) !== RateLimitCheckStatus.LIMIT_NOT_FOUND) {
-        return ResetPasswordByEmailStatus.TOO_MANY_REQUEST;
-    }
-    await recordRateLimitHit(identifier, rule, databaseConfig);
-
-    if (await isUserDisabledById(user.uid)) return ResetPasswordByEmailStatus.USER_DISABLED;
-
-    if (newPassword !== confirmNewPassword) return ResetPasswordByEmailStatus.NOT_IDENTICAL_CONFIRM_PASSWORD;
-
-    const requiredMin = Math.max(6, passwordPolicy.minLength);
-    if (newPassword.length < requiredMin) return ResetPasswordByEmailStatus.WEAK_NEW_PASSWORD;
-
-    const rules = [
-        { enabled: passwordPolicy.requireUppercase, regex: /[A-Z]/, error: ResetPasswordByEmailStatus.MISSING_PASSWORD_UPPERCASE },
-        { enabled: passwordPolicy.requireLowercase, regex: /[a-z]/, error: ResetPasswordByEmailStatus.MISSING_PASSWORD_LOWERCASE },
-        { enabled: passwordPolicy.requireDigit, regex: /[0-9]/, error: ResetPasswordByEmailStatus.MISSING_PASSWORD_DIGIT },
-        { enabled: passwordPolicy.requireSpecial, regex: /[^A-Za-z0-9]/, error: ResetPasswordByEmailStatus.MISSING_PASSWORD_SPECIAL_CHAR },
-    ];
-
-    for (const rule of rules) {
-        if (rule.enabled && !rule.regex.test(newPassword)) return rule.error;
-    }
-
-    try {
-        await admin.auth().updateUser(user.uid, { password: newPassword });
-        return ResetPasswordByEmailStatus.SUCCESS;
-    } catch (error: any) {
-        return ResetPasswordByEmailStatus.INTERNAL_ERROR;
-    }
-}
-
-export async function resetPasswordById(userId: string, password: ResetPassword, databaseConfig: RealtimeDatabase): Promise<ResetPasswordByIdStatus> {
-    userId = userId.trim();
-
-    if (!userId) return ResetPasswordByIdStatus.MISSING_USER_EMAIL;
-
-    const newPassword = password.newPassword.trim();
-    const confirmNewPassword = password.confirmNewPassword.trim();
-
-    if (!newPassword || newPassword === "") return ResetPasswordByIdStatus.MISSING_NEW_PASSWORD;
-    if (!confirmNewPassword || confirmNewPassword === "") return ResetPasswordByIdStatus.MISSING_CONFIRM_NEW_PASSWORD;
-
-    const passwordPolicy = password.passwordPolicy;
-
-    if (!passwordPolicy) return ResetPasswordByIdStatus.MISSING_PASSWORD_POLICY;
-
-    const identifier: RateLimitIdentifier = {
-        id: userId,
-        target: "reset_password"
-    };
-
-    const rule: RateLimitRule = {
-        ttl: 2 * 60 * 1000,
-        windowMs: 3 * 60 * 1000,
-        maxHits: 5,
-    };
-
-    if (await isRateLimited(identifier, rule, databaseConfig) !== RateLimitCheckStatus.LIMIT_NOT_FOUND) {
-        return ResetPasswordByIdStatus.TOO_MANY_REQUEST;
-    }
-    await recordRateLimitHit(identifier, rule, databaseConfig);
-
-    if (await isUserExistsById(userId)) return ResetPasswordByIdStatus.USER_NOT_FOUND;
-    if (await isUserDisabledById(userId)) return ResetPasswordByIdStatus.USER_DISABLED;
-
-    if (newPassword !== confirmNewPassword) return ResetPasswordByIdStatus.NOT_IDENTICAL_CONFIRM_PASSWORD;
-
-    const requiredMin = Math.max(6, passwordPolicy.minLength);
-    if (newPassword.length < requiredMin) return ResetPasswordByIdStatus.WEAK_NEW_PASSWORD;
-
-    const rules = [
-        { enabled: passwordPolicy.requireUppercase, regex: /[A-Z]/, error: ResetPasswordByIdStatus.MISSING_PASSWORD_UPPERCASE },
-        { enabled: passwordPolicy.requireLowercase, regex: /[a-z]/, error: ResetPasswordByIdStatus.MISSING_PASSWORD_LOWERCASE },
-        { enabled: passwordPolicy.requireDigit, regex: /[0-9]/, error: ResetPasswordByIdStatus.MISSING_PASSWORD_DIGIT },
-        { enabled: passwordPolicy.requireSpecial, regex: /[^A-Za-z0-9]/, error: ResetPasswordByIdStatus.MISSING_PASSWORD_SPECIAL_CHAR },
-    ];
-
-    for (const rule of rules) {
-        if (rule.enabled && !rule.regex.test(newPassword)) return rule.error;
-    }
-
-    try {
-        await admin.auth().updateUser(userId, { password: newPassword });
-        return ResetPasswordByIdStatus.SUCCESS;
-    } catch (error: any) {
-        return ResetPasswordByIdStatus.INTERNAL_ERROR;
-    }
-}