Merge pull request #82 from StreetSupport/staging

Merge staging into main

Author: james-cross

README.md

@@ -78,6 +78,7 @@ MONGODB_URI=mongodb+srv://...
 # Auth0
 AUTH0_DOMAIN='take it from https://manage.auth0.com/. For example: your-tenant.auth0.com'
 AUTH0_AUDIENCE='take it from https://manage.auth0.com/'
+AUTH0_CLIENT_ID='Application Client ID from https://manage.auth0.com/. Used for password change emails.'
 AUTH0_USER_DB_CONNECTION='take it from https://manage.auth0.com/'
 AUTH0_MANAGEMENT_CLIENT_ID='take it from https://manage.auth0.com/'
 AUTH0_MANAGEMENT_CLIENT_SECRET='take it from https://manage.auth0.com/'

src/config/auth0.ts

@@ -5,6 +5,7 @@ dotenv.config();
 const auth0Config = {
   domain: process.env.AUTH0_DOMAIN,
   audience: process.env.AUTH0_AUDIENCE,
+  clientId: process.env.AUTH0_CLIENT_ID,
   managementClientId: process.env.AUTH0_MANAGEMENT_CLIENT_ID,
   managementClientSecret: process.env.AUTH0_MANAGEMENT_CLIENT_SECRET,
   managementAudience: process.env.AUTH0_MANAGEMENT_AUDIENCE,
@@ -19,6 +20,10 @@ if (!auth0Config.audience) {
   throw new Error('AUTH0_AUDIENCE is not set in .env file');
 }
 
+if (!auth0Config.clientId) {
+  throw new Error('AUTH0_CLIENT_ID is not set in .env file');
+}
+
 if (!auth0Config.managementClientId) {
   throw new Error('AUTH0_MANAGEMENT_CLIENT_ID is not set in .env file');
 }

src/controllers/userController.ts

@@ -4,7 +4,7 @@ import ArchivedUser from '../models/archivedUserModel.js';
 import { asyncHandler } from '../utils/asyncHandler.js';
 import { decryptUserEmail, encryptEmail } from '../utils/encryption.js';
 import { validateUserCreate, validateUserUpdate } from '../schemas/userSchema.js';
-import { createAuth0User, deleteAuth0User, blockAuth0User, unblockAuth0User, updateAuth0UserRoles } from '../services/auth0Service.js';
+import { createAuth0User, deleteAuth0User, blockAuth0User, unblockAuth0User, updateAuth0UserRoles, sendPasswordChangeEmail } from '../services/auth0Service.js';
 import { sendSuccess, sendCreated, sendNotFound, sendBadRequest, sendInternalError, sendPaginatedSuccess, sendForbidden } from '../utils/apiResponses.js';
 import { ROLE_PREFIXES, ROLES } from '../constants/roles.js';
 import Organisation from '../models/organisationModel.js';
@@ -261,6 +261,14 @@ const createUser = asyncHandler(async (req: Request, res: Response) => {
     return sendInternalError(res, 'Failed to create user in database');
   }
 
+  // Send password change email so user can set their password
+  try {
+    await sendPasswordChangeEmail(userData.Email);
+  } catch (error) {
+    console.error('Failed to send password change email:', error);
+    // Non-blocking - user is created, they can use forgot password if email fails
+  }
+
   // Return user with decrypted email
   const userResponse = {
     ...user.toObject(),

src/services/auth0Service.ts

@@ -99,13 +99,16 @@ export async function createAuth0User(
   const accessToken = await getAuth0ManagementToken();
 
   // Build create user request - Auth0 will auto-generate user_id
+  // We set email_verified: true because admins control user creation
+  // We set verify_email: false to prevent Auth0 sending verification email
+  // Instead, we send a password change email so users can set their password
   const createUserRequest: CreateAuth0UserRequest = {
     connection: connection,
     email: email,
     name: email, // Use email as name
     password: generateTempPassword(),
-    email_verified: false,
-    verify_email: true,
+    email_verified: true,
+    verify_email: false,
     app_metadata: {
       authorization: {
         roles: authClaims,
@@ -133,6 +136,38 @@ export async function createAuth0User(
   return createdUser;
 }
 
+/**
+ * Send password change email to user via Auth0 Authentication API
+ * This allows new users to set their password after account creation
+ * @param email - User email address
+ */
+export async function sendPasswordChangeEmail(email: string): Promise<void> {
+  const domain = auth0Config.domain as string;
+  const clientId = auth0Config.clientId as string;
+  const connection = (auth0Config.userDbConnection as string) || 'Username-Password-Authentication';
+
+  if (!domain || !clientId) {
+    throw new Error('AUTH0_DOMAIN or AUTH0_CLIENT_ID is not configured');
+  }
+
+  const response = await fetch(`https://${domain}/dbconnections/change_password`, {
+    method: HTTP_METHODS.POST,
+    headers: {
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      client_id: clientId,
+      email: email,
+      connection: connection,
+    }),
+  });
+
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Failed to send password change email: ${error}`);
+  }
+}
+
 /**
  * Delete a user from Auth0
  * @param auth0UserId - Auth0 user ID (e.g., "auth0|123456")