authorizer/server/resolvers/reset_password.go

package resolvers

import (
	"context"
	"fmt"
	"strings"
	"time"

	log "github.com/sirupsen/logrus"

	"github.com/authorizerdev/authorizer/server/constants"
	"github.com/authorizerdev/authorizer/server/cookie"
	"github.com/authorizerdev/authorizer/server/crypto"
	"github.com/authorizerdev/authorizer/server/db"
	"github.com/authorizerdev/authorizer/server/db/models"
	"github.com/authorizerdev/authorizer/server/graph/model"
	"github.com/authorizerdev/authorizer/server/memorystore"
	"github.com/authorizerdev/authorizer/server/parsers"
	"github.com/authorizerdev/authorizer/server/refs"
	"github.com/authorizerdev/authorizer/server/token"
	"github.com/authorizerdev/authorizer/server/utils"
	"github.com/authorizerdev/authorizer/server/validators"
)

// ResetPasswordResolver is a resolver for reset password mutation
func ResetPasswordResolver(ctx context.Context, params model.ResetPasswordInput) (*model.Response, error) {
	var res *model.Response

	gc, err := utils.GinContextFromContext(ctx)
	if err != nil {
		log.Debug("Failed to get GinContext: ", err)
		return res, err
	}
	verifyingToken := refs.StringValue(params.Token)
	otp := refs.StringValue(params.Otp)
	if verifyingToken == "" && otp == "" {
		log.Debug("Token or OTP is required")
		return res, fmt.Errorf(`token or otp is required`)
	}
	isTokenVerification := verifyingToken != ""
	isOtpVerification := otp != ""
	if isOtpVerification && refs.StringValue(params.PhoneNumber) == "" {
		log.Debug("Phone number is required")
		return res, fmt.Errorf(`phone number is required`)
	}
	isBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableBasicAuthentication)
	if err != nil {
		log.Debug("Error getting basic auth disabled: ", err)
		isBasicAuthDisabled = true
	}
	isMobileBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMobileBasicAuthentication)
	if err != nil {
		log.Debug("Error getting mobile basic auth disabled: ", err)
		isBasicAuthDisabled = true
	}
	if isTokenVerification && isBasicAuthDisabled {
		log.Debug("Basic authentication is disabled")
		return res, fmt.Errorf(`basic authentication is disabled for this instance`)
	}
	if isOtpVerification && isMobileBasicAuthDisabled {
		log.Debug("Mobile basic authentication is disabled")
		return res, fmt.Errorf(`mobile basic authentication is disabled for this instance`)
	}
	email := ""
	phoneNumber := refs.StringValue(params.PhoneNumber)
	var user *models.User
	var verificationRequest *models.VerificationRequest
	var otpRequest *models.OTP
	if isTokenVerification {
		verificationRequest, err = db.Provider.GetVerificationRequestByToken(ctx, verifyingToken)
		if err != nil {
			log.Debug("Failed to get verification request: ", err)
			return res, fmt.Errorf(`invalid token`)
		}
		// verify if token exists in db
		hostname := parsers.GetHost(gc)
		claim, err := token.ParseJWTToken(verifyingToken)
		if err != nil {
			log.Debug("Failed to parse token: ", err)
			return res, fmt.Errorf(`invalid token`)
		}

		if ok, err := token.ValidateJWTClaims(claim, hostname, verificationRequest.Nonce, verificationRequest.Email); !ok || err != nil {
			log.Debug("Failed to validate jwt claims: ", err)
			return res, fmt.Errorf(`invalid token`)
		}
		email = claim["sub"].(string)
		user, err = db.Provider.GetUserByEmail(ctx, email)
		if err != nil {
			log.Debug("Failed to get user: ", err)
			return res, err
		}
	}
	if isOtpVerification {
		mfaSession, err := cookie.GetMfaSession(gc)
		if err != nil {
			log.Debug("Failed to get otp request by email: ", err)
			return res, fmt.Errorf(`invalid session: %s`, err.Error())
		}
		// Get user by phone number
		user, err = db.Provider.GetUserByPhoneNumber(ctx, phoneNumber)
		if err != nil {
			log.Debug("Failed to get user by phone number: ", err)
			return res, fmt.Errorf(`user not found`)
		}
		if _, err := memorystore.Provider.GetMfaSession(user.ID, mfaSession); err != nil {
			log.Debug("Failed to get mfa session: ", err)
			return res, fmt.Errorf(`invalid session: %s`, err.Error())
		}
		otpRequest, err = db.Provider.GetOTPByPhoneNumber(ctx, phoneNumber)
		if err != nil {
			log.Debug("Failed to get otp request by phone number: ", err)
			return res, fmt.Errorf(`invalid otp`)
		}
		if otpRequest.Otp != otp {
			log.Debug("Failed to verify otp request: Incorrect value")
			return res, fmt.Errorf(`invalid otp`)
		}
	}
	if params.Password != params.ConfirmPassword {
		log.Debug("Passwords do not match")
		return res, fmt.Errorf(`passwords don't match`)
	}
	if err := validators.IsValidPassword(params.Password); err != nil {
		log.Debug("Invalid password")
		return res, err
	}
	log := log.WithFields(log.Fields{
		"email": email,
		"phone": phoneNumber,
	})
	password, _ := crypto.EncryptPassword(params.Password)
	user.Password = &password
	signupMethod := user.SignupMethods
	if !strings.Contains(signupMethod, constants.AuthRecipeMethodBasicAuth) && isTokenVerification {
		signupMethod = signupMethod + "," + constants.AuthRecipeMethodBasicAuth
		// helpful if user has not signed up with basic auth
		if user.EmailVerifiedAt == nil {
			now := time.Now().Unix()
			user.EmailVerifiedAt = &now
		}
	}
	if !strings.Contains(signupMethod, constants.AuthRecipeMethodMobileOTP) && isOtpVerification {
		signupMethod = signupMethod + "," + constants.AuthRecipeMethodMobileOTP
		// helpful if user has not signed up with basic auth
		if user.PhoneNumberVerifiedAt == nil {
			now := time.Now().Unix()
			user.PhoneNumberVerifiedAt = &now
		}
	}
	user.SignupMethods = signupMethod
	isMFAEnforced, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyEnforceMultiFactorAuthentication)
	if err != nil {
		log.Debug("MFA service not enabled: ", err)
		isMFAEnforced = false
	}
	if isMFAEnforced {
		user.IsMultiFactorAuthEnabled = refs.NewBoolRef(true)
	}
	_, err = db.Provider.UpdateUser(ctx, user)
	if err != nil {
		log.Debug("Failed to update user: ", err)
		return res, err
	}
	if isTokenVerification {
		// delete from verification table
		err = db.Provider.DeleteVerificationRequest(ctx, verificationRequest)
		if err != nil {
			log.Debug("Failed to delete verification request: ", err)
			return res, err
		}
	}
	if isOtpVerification {
		// delete from otp table
		err = db.Provider.DeleteOTP(ctx, otpRequest)
		if err != nil {
			log.Debug("Failed to delete otp request: ", err)
			return res, err
		}
	}
	res = &model.Response{
		Message: `Password updated successfully.`,
	}
	return res, nil
}
fix: get token logic, add buffer time fix typos 2021-07-21 08:06:26 +00:00			`package resolvers`

			`import (`
			`"context"`
			`"fmt"`
fix: add location middleware to get exact host 2021-08-04 10:25:13 +00:00			`"strings"`
Fix issue with reset password 2022-01-08 17:31:06 +00:00			`"time"`
fix: get token logic, add buffer time fix typos 2021-07-21 08:06:26 +00:00
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`log "github.com/sirupsen/logrus"`

fix: add disable basic auth check in resolvers 2021-07-28 09:52:11 +00:00			`"github.com/authorizerdev/authorizer/server/constants"`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`"github.com/authorizerdev/authorizer/server/cookie"`
feat: add session token 2022-02-28 15:56:49 +00:00			`"github.com/authorizerdev/authorizer/server/crypto"`
chore: rename project 2021-07-23 16:27:44 +00:00			`"github.com/authorizerdev/authorizer/server/db"`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`"github.com/authorizerdev/authorizer/server/db/models"`
chore: rename project 2021-07-23 16:27:44 +00:00			`"github.com/authorizerdev/authorizer/server/graph/model"`
fix: memory store upgrade in resolvers 2022-05-30 03:49:55 +00:00			`"github.com/authorizerdev/authorizer/server/memorystore"`
fix: import cycle issues 2022-05-30 06:24:16 +00:00			`"github.com/authorizerdev/authorizer/server/parsers"`
feat: add managing mfa 2022-08-03 17:50:23 +00:00			`"github.com/authorizerdev/authorizer/server/refs"`
Implement refresh token logic with fingerprint + rotation 2022-01-22 19:54:41 +00:00			`"github.com/authorizerdev/authorizer/server/token"`
fix: auth flow 2022-03-02 12:12:31 +00:00			`"github.com/authorizerdev/authorizer/server/utils"`
fix: import cycle issues 2022-05-30 06:24:16 +00:00			`"github.com/authorizerdev/authorizer/server/validators"`
fix: get token logic, add buffer time fix typos 2021-07-21 08:06:26 +00:00			`)`

Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`// ResetPasswordResolver is a resolver for reset password mutation`
			`func ResetPasswordResolver(ctx context.Context, params model.ResetPasswordInput) (*model.Response, error) {`
fix: get token logic, add buffer time fix typos 2021-07-21 08:06:26 +00:00			`var res *model.Response`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00
fix: auth flow 2022-03-02 12:12:31 +00:00			`gc, err := utils.GinContextFromContext(ctx)`
			`if err != nil {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Failed to get GinContext: ", err)`
fix: auth flow 2022-03-02 12:12:31 +00:00			`return res, err`
			`}`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`verifyingToken := refs.StringValue(params.Token)`
			`otp := refs.StringValue(params.Otp)`
			`if verifyingToken == "" && otp == "" {`
			`log.Debug("Token or OTP is required")`
			return res, fmt.Errorf(`token or otp is required`)
			`}`
			`isTokenVerification := verifyingToken != ""`
			`isOtpVerification := otp != ""`
			`if isOtpVerification && refs.StringValue(params.PhoneNumber) == "" {`
			`log.Debug("Phone number is required")`
			return res, fmt.Errorf(`phone number is required`)
			`}`
fix: memory store upgrade in resolvers 2022-05-30 03:49:55 +00:00			`isBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableBasicAuthentication)`
			`if err != nil {`
			`log.Debug("Error getting basic auth disabled: ", err)`
			`isBasicAuthDisabled = true`
			`}`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`isMobileBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMobileBasicAuthentication)`
			`if err != nil {`
			`log.Debug("Error getting mobile basic auth disabled: ", err)`
			`isBasicAuthDisabled = true`
			`}`
			`if isTokenVerification && isBasicAuthDisabled {`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`log.Debug("Basic authentication is disabled")`
fix: add disable basic auth check in resolvers 2021-07-28 09:52:11 +00:00			return res, fmt.Errorf(`basic authentication is disabled for this instance`)
			`}`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`if isOtpVerification && isMobileBasicAuthDisabled {`
			`log.Debug("Mobile basic authentication is disabled")`
			return res, fmt.Errorf(`mobile basic authentication is disabled for this instance`)
fix: get token logic, add buffer time fix typos 2021-07-21 08:06:26 +00:00			`}`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`email := ""`
			`phoneNumber := refs.StringValue(params.PhoneNumber)`
			`var user *models.User`
			`var verificationRequest *models.VerificationRequest`
			`var otpRequest *models.OTP`
			`if isTokenVerification {`
			`verificationRequest, err = db.Provider.GetVerificationRequestByToken(ctx, verifyingToken)`
			`if err != nil {`
			`log.Debug("Failed to get verification request: ", err)`
			return res, fmt.Errorf(`invalid token`)
			`}`
			`// verify if token exists in db`
			`hostname := parsers.GetHost(gc)`
			`claim, err := token.ParseJWTToken(verifyingToken)`
			`if err != nil {`
			`log.Debug("Failed to parse token: ", err)`
			return res, fmt.Errorf(`invalid token`)
			`}`
fix: get token logic, add buffer time fix typos 2021-07-21 08:06:26 +00:00
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`if ok, err := token.ValidateJWTClaims(claim, hostname, verificationRequest.Nonce, verificationRequest.Email); !ok \|\| err != nil {`
			`log.Debug("Failed to validate jwt claims: ", err)`
			return res, fmt.Errorf(`invalid token`)
			`}`
			`email = claim["sub"].(string)`
			`user, err = db.Provider.GetUserByEmail(ctx, email)`
			`if err != nil {`
			`log.Debug("Failed to get user: ", err)`
			`return res, err`
			`}`
			`}`
			`if isOtpVerification {`
			`mfaSession, err := cookie.GetMfaSession(gc)`
			`if err != nil {`
			`log.Debug("Failed to get otp request by email: ", err)`
			return res, fmt.Errorf(`invalid session: %s`, err.Error())
			`}`
			`// Get user by phone number`
			`user, err = db.Provider.GetUserByPhoneNumber(ctx, phoneNumber)`
			`if err != nil {`
			`log.Debug("Failed to get user by phone number: ", err)`
			return res, fmt.Errorf(`user not found`)
			`}`
			`if _, err := memorystore.Provider.GetMfaSession(user.ID, mfaSession); err != nil {`
			`log.Debug("Failed to get mfa session: ", err)`
			return res, fmt.Errorf(`invalid session: %s`, err.Error())
			`}`
			`otpRequest, err = db.Provider.GetOTPByPhoneNumber(ctx, phoneNumber)`
			`if err != nil {`
			`log.Debug("Failed to get otp request by phone number: ", err)`
			return res, fmt.Errorf(`invalid otp`)
			`}`
			`if otpRequest.Otp != otp {`
			`log.Debug("Failed to verify otp request: Incorrect value")`
			return res, fmt.Errorf(`invalid otp`)
			`}`
			`}`
fix: update authorizer-react + oauth callback 2021-08-10 16:50:24 +00:00			`if params.Password != params.ConfirmPassword {`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`log.Debug("Passwords do not match")`
fix: update authorizer-react + oauth callback 2021-08-10 16:50:24 +00:00			return res, fmt.Errorf(`passwords don't match`)
			`}`
feat: add ability to disable strong password 2022-06-18 10:01:57 +00:00			`if err := validators.IsValidPassword(params.Password); err != nil {`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`log.Debug("Invalid password")`
feat: add ability to disable strong password 2022-06-18 10:01:57 +00:00			`return res, err`
feat: add validation for strong password 2022-03-17 10:05:07 +00:00			`}`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`log := log.WithFields(log.Fields{`
			`"email": email,`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`"phone": phoneNumber,`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`})`
feat: add session token 2022-02-28 15:56:49 +00:00			`password, _ := crypto.EncryptPassword(params.Password)`
fix: unique constraint data 2021-12-22 10:01:45 +00:00			`user.Password = &password`
fix: refactor schema for open id claim standards 2021-12-22 05:21:12 +00:00			`signupMethod := user.SignupMethods`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`if !strings.Contains(signupMethod, constants.AuthRecipeMethodBasicAuth) && isTokenVerification {`
fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00			`signupMethod = signupMethod + "," + constants.AuthRecipeMethodBasicAuth`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`// helpful if user has not signed up with basic auth`
			`if user.EmailVerifiedAt == nil {`
			`now := time.Now().Unix()`
			`user.EmailVerifiedAt = &now`
feat: add managing mfa 2022-08-03 17:50:23 +00:00			`}`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`}`
			`if !strings.Contains(signupMethod, constants.AuthRecipeMethodMobileOTP) && isOtpVerification {`
			`signupMethod = signupMethod + "," + constants.AuthRecipeMethodMobileOTP`
			`// helpful if user has not signed up with basic auth`
			`if user.PhoneNumberVerifiedAt == nil {`
			`now := time.Now().Unix()`
			`user.PhoneNumberVerifiedAt = &now`
feat: add managing mfa 2022-08-03 17:50:23 +00:00			`}`
fix: add location middleware to get exact host 2021-08-04 10:25:13 +00:00			`}`
fix: refactor schema for open id claim standards 2021-12-22 05:21:12 +00:00			`user.SignupMethods = signupMethod`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`isMFAEnforced, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyEnforceMultiFactorAuthentication)`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`if err != nil {`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`log.Debug("MFA service not enabled: ", err)`
			`isMFAEnforced = false`
			`}`
			`if isMFAEnforced {`
			`user.IsMultiFactorAuthEnabled = refs.NewBoolRef(true)`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`}`
feat: implement resolvers 2022-07-10 16:19:33 +00:00			`_, err = db.Provider.UpdateUser(ctx, user)`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`if err != nil {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Failed to update user: ", err)`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`return res, err`
			`}`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`if isTokenVerification {`
			`// delete from verification table`
			`err = db.Provider.DeleteVerificationRequest(ctx, verificationRequest)`
			`if err != nil {`
			`log.Debug("Failed to delete verification request: ", err)`
			`return res, err`
			`}`
			`}`
			`if isOtpVerification {`
			`// delete from otp table`
			`err = db.Provider.DeleteOTP(ctx, otpRequest)`
			`if err != nil {`
			`log.Debug("Failed to delete otp request: ", err)`
			`return res, err`
			`}`
			`}`
fix: get token logic, add buffer time fix typos 2021-07-21 08:06:26 +00:00			`res = &model.Response{`
			Message: `Password updated successfully.`,
			`}`
			`return res, nil`
			`}`