refactor names and product check

Author: pcrespov

api/specs/web-server/_auth.py

@@ -178,16 +178,15 @@ async def initiate_reset_password(_body: ResetPasswordBody): ...
 @router.post(
     "/auth/reset-password/{code}",
     response_model=Envelope[Log],
-    operation_id="auth_reset_password_allowed",
+    operation_id="complete_reset_password",
     responses={
         status.HTTP_401_UNAUTHORIZED: {
             "model": EnvelopedError,
-            "description": "unauthorized reset due to invalid token code",
+            "description": "Invalid token code",
         }
     },
 )
-async def reset_password_allowed(code: str, _body: ResetPasswordConfirmation):
-    """changes password using a token code without being logged in"""
+async def complete_reset_password(code: str, _body: ResetPasswordConfirmation): ...
 
 
 @router.post(

services/web/server/src/simcore_service_webserver/login/handlers_change.py

@@ -16,6 +16,7 @@
 from ..products import products_web
 from ..products.models import Product
 from ..security.api import check_password, encrypt_password
+from ..users import api as users_service
 from ..utils import HOUR
 from ..utils_rate_limiting import global_rate_limit_route
 from ._confirmation import is_confirmation_valid, make_confirmation_link
@@ -52,7 +53,7 @@ class ResetPasswordBody(InputSchema):
 @routes.post(f"/{API_VTAG}/auth/reset-password", name="initiate_reset_password")
 @global_rate_limit_route(number_of_requests=10, interval_seconds=HOUR)
 async def initiate_reset_password(request: web.Request):
-    """First of the "Two-Step Action Confirmation pattern"
+    """First of the "Two-Step Action Confirmation pattern": initiate_reset_password + complete_reset_password(code)
 
         1. confirm user exists
         2. check user status
@@ -76,7 +77,7 @@ async def initiate_reset_password(request: web.Request):
     # with a given email or username.
     response = flash_response(MSG_EMAIL_SENT.format(email=request_body.email), "INFO")
 
-    # check user exists
+    # CHECK user exists
     user = await db.get_user({"email": request_body.email})
     if not user:
         _logger.warning(
@@ -86,7 +87,7 @@ async def initiate_reset_password(request: web.Request):
         )
         return response
 
-    # check user state
+    # CHECK user state
     try:
         validate_user_status(user=dict(user), support_email=product.support_email)
     except web.HTTPError as err:
@@ -99,9 +100,16 @@ async def initiate_reset_password(request: web.Request):
 
     assert user["status"] == ACTIVE  # nosec
     assert user["email"] == request_body.email  # nosec
+    assert isinstance(user["id"], int)  # nosec
 
-    # check access to product
-    # TODO:
+    # CHECK access to product
+    if not await users_service.is_user_in_product(
+        request.app, user_id=user["id"], product_name=product.name
+    ):
+        _logger.warning(
+            "Password rest requested for a registered user but wihtout access to product"
+        )
+        return response
 
     if await is_confirmation_valid(cfg, db, user, action=RESET_PASSWORD):
         _logger.warning(
@@ -111,10 +119,11 @@ async def initiate_reset_password(request: web.Request):
         # delete previous and resend new?
         return response
 
-    # TODO: create confirmation code,
-    confirmation = await db.create_confirmation(user["id"], action=RESET_PASSWORD)
-    link = make_confirmation_link(request, confirmation)
     try:
+        # Produce a link so that the front-end can hit `complete_reset_password`
+        confirmation = await db.create_confirmation(user["id"], action=RESET_PASSWORD)
+        link = make_confirmation_link(request, confirmation)
+
         # primary reset email with a URL and the normal instructions.
         await send_email_from_template(
             request,

services/web/server/src/simcore_service_webserver/login/handlers_confirmation.py

@@ -273,11 +273,12 @@ class ResetPasswordConfirmation(InputSchema):
     _password_confirm_match = field_validator("confirm")(check_confirm_password_match)
 
 
-@routes.post("/v0/auth/reset-password/{code}", name="auth_reset_password_allowed")
-async def reset_password(request: web.Request):
-    """Changes password using a token code without being logged in
+@routes.post("/v0/auth/reset-password/{code}", name="complete_reset_password")
+async def complete_reset_password(request: web.Request):
+    """Last of the "Two-Step Action Confirmation pattern": initiate_reset_password + complete_reset_password(code)
 
-    Code is provided via email by calling first submit_request_to_reset_password
+    - Changes password using a token code without login
+    - Code is provided via email by calling first initiate_reset_password
     """
     db: AsyncpgStorage = get_plugin_storage(request.app)
     cfg: LoginOptions = get_plugin_options(request.app)

services/web/server/tests/unit/with_dbs/03/login/test_login_reset_password.py

@@ -184,7 +184,7 @@ async def test_reset_and_confirm(
         )
 
         # api/specs/webserver/v0/components/schemas/auth.yaml#/ResetPasswordForm
-        reset_allowed_url = client.app.router["auth_reset_password_allowed"].url_for(
+        reset_allowed_url = client.app.router["complete_reset_password"].url_for(
             code=code
         )
         new_password = generate_password(10)