Merge pull request #84 from njxue/forgot-password

Forgot password with email and reset token

Author: SPWwj

backend/user-service/.env.example

@@ -35,3 +35,12 @@ REDIS_PORT=6379
 PEERPREP_QUESTION_INITDB_NAME=peerprepQuestionServiceDB # must match question service .env file and init-mongo.js
 PEERPREP_USER_INITDB_NAME=peerprepUserServiceDB # must match user service .env file and init-mongo.js
 PEERPREP_MATCHING_INITDB_NAME=peerprepMatchingServiceDB # must match user service .env file and init-mongo.js
+
+# SMTP configs for email
+SMTP_HOST=smtp.gmail.com
+SMTP_PORT=587
+SMTP_USER=[email protected]
+SMTP_PASSWORD=scdqcveqpurzzajj
+
+# App URL 
+APP_URL=http://localhost:3000

backend/user-service/config/authConfig.js

@@ -9,8 +9,12 @@ export const jwtConfig = {
   accessTokenOptions: {
     expiresIn: process.env.ENV === "production" ? "15m" : "30s", // Shorter duration in dev for testing
   },
+  resetTokenOptions: {
+    expiresIn: "15m",
+  },
   accessTokenSecret: process.env.JWT_ACCESS_TOKEN_SECRET,
   refreshTokenSecret: process.env.JWT_REFRESH_TOKEN_SECRET,
+  resetTokenSecret: process.env.JWT_RESET_TOKEN_SECRET,
 };
 
 export const REFRESH_TOKEN_COOKIE_KEY = "refreshToken";

backend/user-service/config/emailConfig.js

@@ -0,0 +1,10 @@
+import dotenv from "dotenv";
+
+dotenv.config();
+
+export const emailConfig = {
+  user: process.env.SMTP_USER,
+  password: process.env.SMTP_PASSWORD,
+  smtp_host: process.env.SMTP_HOST,
+  smtp_port: Number(process.env.SMTP_PORT),
+};

backend/user-service/controller/auth-controller.js

@@ -4,7 +4,6 @@ import { formatUserResponse } from "./user-controller.js";
 import { jwtConfig, REFRESH_TOKEN_COOKIE_KEY, refreshTokenCookieOptions } from "../config/authConfig.js";
 import TokenService from "../services/tokenService.js";
 import { BadRequestError, NotFoundError, UnauthorisedError } from "../utils/httpErrors.js";
-import { decode } from "jsonwebtoken";
 
 export async function handleLogin(req, res, next) {
   const { email, password } = req.body;
@@ -44,7 +43,7 @@ export async function handleLogout(req, res, next) {
     }
     const refreshToken = req.cookies[REFRESH_TOKEN_COOKIE_KEY];
     const decodedToken = await TokenService.verifyToken(refreshToken, jwtConfig.refreshTokenSecret);
-    await TokenService.blacklistToken(decodedToken);
+    await TokenService.blacklistRefreshToken(decodedToken);
     return res.sendStatus(204);
   } catch (err) {
     next(err);
@@ -83,7 +82,7 @@ export async function refresh(req, res, next) {
     const accessToken = TokenService.generateAccessToken(dbUser);
     const newRefreshToken = TokenService.generateRefreshToken(dbUser);
     res.cookie(REFRESH_TOKEN_COOKIE_KEY, newRefreshToken, refreshTokenCookieOptions);
-    await TokenService.blacklistToken(decodedRefreshToken);
+    await TokenService.blacklistRefreshToken(decodedRefreshToken);
 
     return res.status(200).json({
       message: "Access token refreshed",

backend/user-service/controller/user-controller.js

@@ -1,5 +1,4 @@
 import bcrypt from "bcrypt";
-import jwt from "jsonwebtoken";
 import { jwtConfig, REFRESH_TOKEN_COOKIE_KEY, refreshTokenCookieOptions } from "../config/authConfig.js";
 import { isValidObjectId } from "mongoose";
 import {
@@ -12,10 +11,15 @@ import {
   findUserByUsernameOrEmail as _findUserByUsernameOrEmail,
   updateUserById as _updateUserById,
   updateUserPrivilegeById as _updateUserPrivilegeById,
+  findUserByEmail,
 } from "../model/repository.js";
-import { BadRequestError, ConflictError, NotFoundError } from "../utils/httpErrors.js";
+import { BadRequestError, ConflictError, NotFoundError, UnauthorisedError } from "../utils/httpErrors.js";
 import TokenService from "../services/tokenService.js";
+import { sendEmail } from "../services/emailService.js";
+import dotenv from "dotenv";
 
+dotenv.config();
+const PASSWORD_SALT = 10;
 export async function createUser(req, res, next) {
   try {
     const { username, email, password } = req.body;
@@ -28,7 +32,7 @@ export async function createUser(req, res, next) {
       throw new ConflictError("Username or email already exists");
     }
 
-    const salt = bcrypt.genSaltSync(10);
+    const salt = bcrypt.genSaltSync(PASSWORD_SALT);
     const hashedPassword = bcrypt.hashSync(password, salt);
     const createdUser = await _createUser(username, email, hashedPassword);
 
@@ -42,12 +46,11 @@ export async function createUser(req, res, next) {
       data: { accessToken, user: { ...formatUserResponse(createdUser) } },
     });
   } catch (err) {
-    console.error('Error creating user:', err);
+    console.error("Error creating user:", err);
     next(err);
   }
 }
 
-
 export async function getUser(req, res, next) {
   try {
     const userId = req.params.id;
@@ -101,7 +104,7 @@ export async function updateUser(req, res, next) {
 
       let hashedPassword;
       if (password) {
-        const salt = bcrypt.genSaltSync(10);
+        const salt = bcrypt.genSaltSync(PASSWORD_SALT);
         hashedPassword = bcrypt.hashSync(password, salt);
       }
       const updatedUser = await _updateUserById(userId, username, email, hashedPassword);
@@ -162,6 +165,56 @@ export async function deleteUser(req, res, next) {
   }
 }
 
+export async function forgetPassword(req, res, next) {
+  try {
+    const { email } = req.body;
+    const resetToken = await TokenService.generateResetToken(email);
+    const passwordResetLink = `${process.env.APP_URL}/reset-password?token=${resetToken}`;
+
+    await sendEmail({
+      to: email,
+      subject: "Reset password",
+      htmlTemplateData: { passwordResetLink },
+    });
+
+    res.sendStatus(204);
+  } catch (err) {
+    console.error(err);
+    next(err);
+  }
+}
+
+export async function resetPassword(req, res, next) {
+  try {
+    const { password, token } = req.body;
+    if (password) {
+      const decoded = await TokenService.verifyResetToken(token, jwtConfig.resetTokenSecret);
+
+      if (await TokenService.isResetTokenBlacklisted(decoded)) {
+        throw new UnauthorisedError("Reset token is invalid");
+      }
+
+      const email = decoded.email;
+      const user = await findUserByEmail(email);
+      if (!user) {
+        throw new NotFoundError(`No user with the email ${email} is found`);
+      }
+      const salt = bcrypt.genSaltSync(PASSWORD_SALT);
+      const hashedPassword = bcrypt.hashSync(password, salt);
+      const updatedUser = await _updateUserById(user.id, user.username, user.email, hashedPassword);
+      await TokenService.blacklistResetToken(decoded);
+
+      return res.status(200).json({
+        message: "Password has been resetted",
+        data: formatUserResponse(updatedUser),
+      });
+    }
+  } catch (err) {
+    console.error(err);
+    next(err);
+  }
+}
+
 export function formatUserResponse(user) {
   return {
     _id: user.id,

backend/user-service/package-lock.json

@@ -20,9 +20,11 @@
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
     "dotenv": "^16.4.5",
+    "ejs": "^3.1.10",
     "express": "^4.19.2",
     "jsonwebtoken": "^9.0.2",
     "mongoose": "^8.5.4",
+    "nodemailer": "^6.9.16",
     "redis": "^4.7.0",
     "swagger-jsdoc": "^6.2.8",
     "swagger-ui-express": "^5.0.1",