Merge pull request #77 from CodeForBaltimore/token_updates

Adding support for short-term tokens and forgot password flow

Author: stoopidJSON

README.md

@@ -20,6 +20,8 @@ services:
   db:
     image: postgres
     restart: always
+    ports:
+      - '5432:5432'
     environment:
       - POSTGRES_USER=${DATABASE_USER}
       - POSTGRES_PASSWORD=${DATABASE_PASSWORD}

docker-compose.yml

@@ -96,6 +96,37 @@
         }
       }
     },
+    "/user/forgotpassword/{email}" : {
+      "post" : {
+        "tags" : [ "user" ],
+        "summary" : "sends a reset password email",
+        "description" : "The forgot password endpoint.",
+        "parameters" : [ {
+          "in" : "path",
+          "name" : "email",
+          "schema" : {
+            "type" : "string",
+            "format" : "email"
+          },
+          "required" : true,
+          "description" : "email of the user"
+        }],
+        "responses" : {
+          "200" : {
+            "description" : "Reset password email sent"
+          },
+          "404" : {
+            "description" : "User not found by email address provided"
+          },
+          "422" : {
+            "description" : "Invalid input"
+          },
+          "500" : {
+            "description" : "Server error"
+          }
+        }
+      }
+    },
     "/user" : {
       "post" : {
         "tags" : [ "user" ],

docs/swagger/swagger.json

@@ -0,0 +1,19 @@
+<h1>Reset Your Password</h1>
+
+<p>Need to reset your password? No Problem! Just click the button below and you'll be on your way. If you did not make this request, please ignore this email.</p>
+
+<table width="100%" cellspacing="0" cellpadding="0">
+  <tr>
+      <td>
+          <table cellspacing="0" cellpadding="0">
+              <tr>
+                  <td style="border-radius: 2px;" bgcolor="#ED2939">
+                      <a href="{{ emailResetLink }}" target="_blank" style="padding: 8px 12px; border: 1px solid #ED2939;border-radius: 2px;font-family: Helvetica, Arial, sans-serif;font-size: 14px; color: #ffffff;text-decoration: none;font-weight:bold;display: inline-block;">
+                          Reset Your Password             
+                      </a>
+                  </td>
+              </tr>
+          </table>
+      </td>
+  </tr>
+</table>

mail_templates/forgot_password_html.njk

@@ -0,0 +1,5 @@
+Reset Your Password
+
+Need to reset your password? No Problem! Just click the link below and you'll be on your way. If you did not make this request, please ignore this email.
+
+{{ emailResetLink }}

mail_templates/forgot_password_text.njk

@@ -2,7 +2,7 @@
   "name": "bmore-responsive",
   "version": "1.0.0",
   "description": "An emergency response API",
-  "main": "/src/app.js",
+  "main": "src/index.js",
   "directories": {
     "doc": "docs"
   },
@@ -44,7 +44,9 @@
     "lodash": "^4.17.15",
     "mocha": "7.1.1",
     "morgan": "1.9.1",
+    "nodemailer": "^6.4.6",
     "nodemon": "2.0.2",
+    "nunjucks": "^3.2.1",
     "pg": "7.18.2",
     "random-words": "1.1.0",
     "sequelize": "5.21.5",

package-lock.json

@@ -0,0 +1,48 @@
+import nodemailer from "nodemailer";
+import nunjucks from "nunjucks";
+
+const transporter = nodemailer.createTransport({
+  host: process.env.SMTP_HOST,
+  port: process.env.SMTP_PORT,
+  requireTLS: true,
+  auth: {
+    user: process.env.SMTP_USER,
+    pass: process.env.SMTP_PASSWORD
+  }
+});
+
+/**
+ * Generic email send function
+ * @param {string} to address to send mail to
+ * @param {string} subject email subject
+ * @param {string} html  html text of the email
+ * @param {string} text  plain text of the email
+ */
+const sendMail = async (to, subject, html, text) => {
+  let info = await transporter.sendMail({
+    from: `"Healthcare Roll Call" <${process.env.SMTP_USER}>`, // sender address
+    to, // list of receivers
+    subject, // Subject line
+    text, // plain text body
+    html // html body
+  });
+  console.log("Email sent: %s", info.messageId);
+};
+
+/**
+ * Send a forgot password email.
+ * @param {string} userEmail email address of the user we're sending to
+ * @param {string} resetPasswordToken temporary token for the reset password link
+ */
+const sendForgotPassword = async (userEmail, resetPasswordToken) => {
+  const emailResetLink = `https://healthcarerollcall.org/reset/${resetPasswordToken}`;
+  await sendMail(
+    userEmail,
+    "Password Reset - Healthcare Roll Call",
+    nunjucks.render("forgot_password_html.njk", { emailResetLink }),
+    nunjucks.render("forgot_password_text.njk", { emailResetLink })
+  );
+  return true;
+};
+
+export default { sendForgotPassword };

package.json

@@ -6,6 +6,7 @@ import requestId from 'express-request-id';
 import helmet from 'helmet';
 import morgan from 'morgan';
 import swaggerUi from 'swagger-ui-express';
+import nunjucks from 'nunjucks';
 
 import swaggerDocument from '../docs/swagger/swagger.json';
 import models, { sequelize } from './models';
@@ -17,6 +18,8 @@ const swaggerOptions = {
 	customCss: '.swagger-ui .topbar { display: none }'
 };
 
+nunjucks.configure('mail_templates', { autoescape: true });
+
 // Third-party middleware
 app.use(requestId());
 app.use(morgan('tiny'));
@@ -32,11 +35,6 @@ app.use(async (req, res, next) => {
 		models
 	};
 
-	/** @todo add some checks for auth tokens, etc */
-	// req.context.me = {
-	// 	id: 'abc-123'
-	// };
-
 	next();
 });
 

src/email/index.js

@@ -24,9 +24,6 @@ const user = (sequelize, DataTypes) => {
 		salt: {
 			type: DataTypes.STRING
 		},
-		token: {
-			type: DataTypes.STRING
-		},
 		roles: {
 			type: DataTypes.JSON
 		},
@@ -56,8 +53,7 @@ const user = (sequelize, DataTypes) => {
 		if (user) {
 			const pw = User.encryptPassword(password, user.salt);
 			if (pw === user.password) {
-				await user.update();
-				return user.token;
+				return await User.getToken(user.id);
 			}
 		}
 	};
@@ -71,27 +67,32 @@ const user = (sequelize, DataTypes) => {
 	 */
 	User.validateToken = async token => {
 		/** @todo check if it is a token at all */
-		if (!token) return false;
-
-		const decoded = jwt.decode(token);
-		const now = new Date();
-
-		if (now.getTime() < decoded.exp * 1000) {
-			const user = await User.findOne({
-				where: {token}
-			});
-			if (user) {
-				try {
-					return await jwt.verify(user.token, process.env.JWT_KEY, {email: user.email});
-				} catch {
-					return false;
+		if (token) {
+			try {
+				const decoded = jwt.verify(token, process.env.JWT_KEY);
+				const now = new Date();
+				if (now.getTime() < decoded.exp * 1000) {
+					const user = await User.findByPk(decoded.userId);
+					if (user) {
+						return user;
+					}
 				}
+			} catch (e) {
+				console.error(e);
 			}
-		} 
-
+		}
 		return false;
 	};
 
+	User.getToken = async (userId, expiresIn = '1d') => {
+		const token = jwt.sign(
+			{userId},
+			process.env.JWT_KEY,
+			{expiresIn}
+		);
+		return token;
+	};
+
 	/**
 	 * Generates a random salt for password security.
 	 *
@@ -126,15 +127,6 @@ const user = (sequelize, DataTypes) => {
 		}
 	};
 
-	const setToken = user => {
-		const token = jwt.sign(
-			{email: user.email},
-			process.env.JWT_KEY,
-			{expiresIn: '1d'}
-		);
-		user.token = token;
-	};
-
 	// Other Helpers
 	// const validateContactInfo = user => {
 	// 	let valid = true;
@@ -155,7 +147,6 @@ const user = (sequelize, DataTypes) => {
 	// Update prep actions
 	// User.beforeUpdate(validateContactInfo);
 	User.beforeUpdate(setSaltAndPassword);
-	User.beforeUpdate(setToken);
 
 	return User;
 };