authorizer/server/resolvers/forgot_password.go

package resolvers

import (
	"context"
	"fmt"
	"strings"
	"time"

	"github.com/google/uuid"
	log "github.com/sirupsen/logrus"

	"github.com/authorizerdev/authorizer/server/constants"
	"github.com/authorizerdev/authorizer/server/cookie"
	"github.com/authorizerdev/authorizer/server/db"
	"github.com/authorizerdev/authorizer/server/db/models"
	mailService "github.com/authorizerdev/authorizer/server/email"
	"github.com/authorizerdev/authorizer/server/graph/model"
	"github.com/authorizerdev/authorizer/server/memorystore"
	"github.com/authorizerdev/authorizer/server/parsers"
	"github.com/authorizerdev/authorizer/server/refs"
	"github.com/authorizerdev/authorizer/server/smsproviders"
	"github.com/authorizerdev/authorizer/server/token"
	"github.com/authorizerdev/authorizer/server/utils"
)

// ForgotPasswordResolver is a resolver for forgot password mutation
func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInput) (*model.ForgotPasswordResponse, error) {
	gc, err := utils.GinContextFromContext(ctx)
	if err != nil {
		log.Debug("Failed to get GinContext: ", err)
		return nil, err
	}

	isBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableBasicAuthentication)
	if err != nil {
		log.Debug("Error getting basic auth disabled: ", err)
		isBasicAuthDisabled = true
	}
	isEmailVerificationDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification)
	if err != nil {
		log.Debug("Error getting email verification disabled: ", err)
		isEmailVerificationDisabled = true
	}

	isMobileBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMobileBasicAuthentication)
	if err != nil {
		log.Debug("Error getting mobile basic auth disabled: ", err)
		isMobileBasicAuthDisabled = true
	}
	isMobileVerificationDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisablePhoneVerification)
	if err != nil {
		log.Debug("Error getting mobile verification disabled: ", err)
		isMobileVerificationDisabled = true
	}

	email := refs.StringValue(params.Email)
	phoneNumber := refs.StringValue(params.PhoneNumber)
	if email == "" && phoneNumber == "" {
		log.Debug("Email or phone number is required")
		return nil, fmt.Errorf(`email or phone number is required`)
	}
	log := log.WithFields(log.Fields{
		"email":        refs.StringValue(params.Email),
		"phone_number": refs.StringValue(params.PhoneNumber),
	})
	isEmailLogin := email != ""
	isMobileLogin := phoneNumber != ""
	if isBasicAuthDisabled && isEmailLogin && !isEmailVerificationDisabled {
		log.Debug("Basic authentication is disabled.")
		return nil, fmt.Errorf(`basic authentication is disabled for this instance`)
	}
	if isMobileBasicAuthDisabled && isMobileLogin && !isMobileVerificationDisabled {
		log.Debug("Mobile basic authentication is disabled.")
		return nil, fmt.Errorf(`mobile basic authentication is disabled for this instance`)
	}
	var user *models.User
	if isEmailLogin {
		user, err = db.Provider.GetUserByEmail(ctx, email)
	} else {
		user, err = db.Provider.GetUserByPhoneNumber(ctx, phoneNumber)
	}
	if err != nil {
		log.Debug("Failed to get user: ", err)
		return nil, fmt.Errorf(`bad user credentials`)
	}

	if user.SignupMethods == "magic_link_login" {
		user.SignupMethods = "basic_auth"

		user, err = db.Provider.UpdateUser(ctx, user)
		if err != nil {
			log.Debug("Failed to update user signup method: ", err)
		}
	}

	hostname := parsers.GetHost(gc)
	_, nonceHash, err := utils.GenerateNonce()
	if err != nil {
		log.Debug("Failed to generate nonce: ", err)
		return nil, err
	}
	if user.RevokedTimestamp != nil {
		log.Debug("User access is revoked")
		return nil, fmt.Errorf(`user access has been revoked`)
	}
	if isEmailLogin {
		redirectURI := ""
		// give higher preference to params redirect uri
		if strings.TrimSpace(refs.StringValue(params.RedirectURI)) != "" {
			redirectURI = refs.StringValue(params.RedirectURI)
		} else {
			redirectURI, err = memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyResetPasswordURL)
			if err != nil {
				log.Debug("ResetPasswordURL not found using default app url: ", err)
				redirectURI = hostname + "/app/reset-password"
				memorystore.Provider.UpdateEnvVariable(constants.EnvKeyResetPasswordURL, redirectURI)
			}
		}
		verificationToken, err := token.CreateVerificationToken(email, constants.VerificationTypeForgotPassword, hostname, nonceHash, redirectURI)
		if err != nil {
			log.Debug("Failed to create verification token", err)
			return nil, err
		}
		_, err = db.Provider.AddVerificationRequest(ctx, &models.VerificationRequest{
			Token:       verificationToken,
			Identifier:  constants.VerificationTypeForgotPassword,
			ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
			Email:       email,
			Nonce:       nonceHash,
			RedirectURI: redirectURI,
		})
		if err != nil {
			log.Debug("Failed to add verification request", err)
			return nil, err
		}
		// execute it as go routine so that we can reduce the api latency
		go mailService.SendEmail([]string{email}, constants.VerificationTypeForgotPassword, map[string]interface{}{
			"user":             user.ToMap(),
			"organization":     utils.GetOrganization(),
			"verification_url": utils.GetForgotPasswordURL(verificationToken, redirectURI),
		})
		return &model.ForgotPasswordResponse{
			Message: `Please check your inbox! We have sent a password reset link.`,
		}, nil
	}
	if isMobileLogin {
		expiresAt := time.Now().Add(1 * time.Minute).Unix()
		otp := utils.GenerateOTP()
		otpData, err := db.Provider.UpsertOTP(ctx, &models.OTP{
			Email:       refs.StringValue(user.Email),
			PhoneNumber: refs.StringValue(user.PhoneNumber),
			Otp:         otp,
			ExpiresAt:   expiresAt,
		})
		if err != nil {
			log.Debug("Failed to add otp: ", err)
			return nil, err
		}
		mfaSession := uuid.NewString()
		err = memorystore.Provider.SetMfaSession(user.ID, mfaSession, expiresAt)
		if err != nil {
			log.Debug("Failed to add mfasession: ", err)
			return nil, err
		}
		cookie.SetMfaSession(gc, mfaSession)
		smsBody := strings.Builder{}
		smsBody.WriteString("Your verification code is: ")
		smsBody.WriteString(otpData.Otp)
		if err := smsproviders.SendSMS(phoneNumber, smsBody.String()); err != nil {
			log.Debug("Failed to send sms: ", err)
			// continue
		}
		return &model.ForgotPasswordResponse{
			Message:                   "Please enter the OTP sent to your phone number and change your password.",
			ShouldShowMobileOtpScreen: refs.NewBoolRef(true),
		}, nil
	}
	return nil, fmt.Errorf(`email or phone number verification needs to be enabled`)
}
Add forgot password resolver Resolves #10 2021-07-18 09:56:29 +00:00			`package resolvers`

			`import (`
			`"context"`
			`"fmt"`
fix: get token logic, add buffer time fix typos 2021-07-21 08:06:26 +00:00			`"strings"`
			`"time"`
Add forgot password resolver Resolves #10 2021-07-18 09:56:29 +00:00
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`"github.com/google/uuid"`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`log "github.com/sirupsen/logrus"`

fix: add disable basic auth check in resolvers 2021-07-28 09:52:11 +00:00			`"github.com/authorizerdev/authorizer/server/constants"`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`"github.com/authorizerdev/authorizer/server/cookie"`
chore: rename project 2021-07-23 16:27:44 +00:00			`"github.com/authorizerdev/authorizer/server/db"`
fix: update to use db.Provider 2022-01-21 08:04:04 +00:00			`"github.com/authorizerdev/authorizer/server/db/models"`
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`mailService "github.com/authorizerdev/authorizer/server/email"`
chore: rename project 2021-07-23 16:27:44 +00:00			`"github.com/authorizerdev/authorizer/server/graph/model"`
fix: memory store upgrade in resolvers 2022-05-30 03:49:55 +00:00			`"github.com/authorizerdev/authorizer/server/memorystore"`
fix: import cycle issues 2022-05-30 06:24:16 +00:00			`"github.com/authorizerdev/authorizer/server/parsers"`
fix email template - fix verification types - add design to cassandra db provider for email_template - fix default email verification types to include update_email 2022-08-13 06:04:24 +00:00			`"github.com/authorizerdev/authorizer/server/refs"`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`"github.com/authorizerdev/authorizer/server/smsproviders"`
Implement refresh token logic with fingerprint + rotation 2022-01-22 19:54:41 +00:00			`"github.com/authorizerdev/authorizer/server/token"`
chore: rename project 2021-07-23 16:27:44 +00:00			`"github.com/authorizerdev/authorizer/server/utils"`
Add forgot password resolver Resolves #10 2021-07-18 09:56:29 +00:00			`)`

Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`// ForgotPasswordResolver is a resolver for forgot password mutation`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInput) (*model.ForgotPasswordResponse, error) {`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`gc, err := utils.GinContextFromContext(ctx)`
feat: login wall (#42) * feat: add login-wall app * fix: rename vars * fix: rename vars * update docker file * add validations for app state * add host check for app * fix: docker file 2021-08-04 06:48:57 +00:00			`if err != nil {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Failed to get GinContext: ", err)`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`return nil, err`
feat: login wall (#42) * feat: add login-wall app * fix: rename vars * fix: rename vars * update docker file * add validations for app state * add host check for app * fix: docker file 2021-08-04 06:48:57 +00:00			`}`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00
fix: memory store upgrade in resolvers 2022-05-30 03:49:55 +00:00			`isBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableBasicAuthentication)`
			`if err != nil {`
			`log.Debug("Error getting basic auth disabled: ", err)`
			`isBasicAuthDisabled = true`
			`}`
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`isEmailVerificationDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification)`
			`if err != nil {`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`log.Debug("Error getting email verification disabled: ", err)`
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`isEmailVerificationDisabled = true`
fix: add disable basic auth check in resolvers 2021-07-28 09:52:11 +00:00			`}`
Add forgot password resolver Resolves #10 2021-07-18 09:56:29 +00:00
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`isMobileBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMobileBasicAuthentication)`
			`if err != nil {`
			`log.Debug("Error getting mobile basic auth disabled: ", err)`
			`isMobileBasicAuthDisabled = true`
			`}`
			`isMobileVerificationDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisablePhoneVerification)`
			`if err != nil {`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`log.Debug("Error getting mobile verification disabled: ", err)`
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`isMobileVerificationDisabled = true`
Add forgot password resolver Resolves #10 2021-07-18 09:56:29 +00:00			`}`

feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`email := refs.StringValue(params.Email)`
			`phoneNumber := refs.StringValue(params.PhoneNumber)`
			`if email == "" && phoneNumber == "" {`
			`log.Debug("Email or phone number is required")`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			return nil, fmt.Errorf(`email or phone number is required`)
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`}`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`log := log.WithFields(log.Fields{`
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`"email": refs.StringValue(params.Email),`
			`"phone_number": refs.StringValue(params.PhoneNumber),`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`})`
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`isEmailLogin := email != ""`
			`isMobileLogin := phoneNumber != ""`
			`if isBasicAuthDisabled && isEmailLogin && !isEmailVerificationDisabled {`
			`log.Debug("Basic authentication is disabled.")`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			return nil, fmt.Errorf(`basic authentication is disabled for this instance`)
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`}`
			`if isMobileBasicAuthDisabled && isMobileLogin && !isMobileVerificationDisabled {`
			`log.Debug("Mobile basic authentication is disabled.")`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			return nil, fmt.Errorf(`mobile basic authentication is disabled for this instance`)
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`}`
			`var user *models.User`
			`if isEmailLogin {`
			`user, err = db.Provider.GetUserByEmail(ctx, email)`
			`} else {`
			`user, err = db.Provider.GetUserByPhoneNumber(ctx, phoneNumber)`
			`}`
Add forgot password resolver Resolves #10 2021-07-18 09:56:29 +00:00			`if err != nil {`
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`log.Debug("Failed to get user: ", err)`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			return nil, fmt.Errorf(`bad user credentials`)
Add forgot password resolver Resolves #10 2021-07-18 09:56:29 +00:00			`}`
forgot-resolver-patch 2024-02-08 16:18:31 +00:00
			`if user.SignupMethods == "magic_link_login" {`
			`user.SignupMethods = "basic_auth"`

			`user, err = db.Provider.UpdateUser(ctx, user)`
			`if err != nil {`
			`log.Debug("Failed to update user signup method: ", err)`
			`}`
			`}`

fix: import cycle issues 2022-05-30 06:24:16 +00:00			`hostname := parsers.GetHost(gc)`
fix: add token information in redirect url 2022-03-08 07:06:26 +00:00			`_, nonceHash, err := utils.GenerateNonce()`
fix: auth flow 2022-03-02 12:12:31 +00:00			`if err != nil {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Failed to generate nonce: ", err)`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`return nil, err`
fix: auth flow 2022-03-02 12:12:31 +00:00			`}`
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`if user.RevokedTimestamp != nil {`
			`log.Debug("User access is revoked")`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			return nil, fmt.Errorf(`user access has been revoked`)
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`}`
			`if isEmailLogin {`
			`redirectURI := ""`
			`// give higher preference to params redirect uri`
			`if strings.TrimSpace(refs.StringValue(params.RedirectURI)) != "" {`
			`redirectURI = refs.StringValue(params.RedirectURI)`
			`} else {`
			`redirectURI, err = memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyResetPasswordURL)`
			`if err != nil {`
			`log.Debug("ResetPasswordURL not found using default app url: ", err)`
			`redirectURI = hostname + "/app/reset-password"`
			`memorystore.Provider.UpdateEnvVariable(constants.EnvKeyResetPasswordURL, redirectURI)`
			`}`
			`}`
			`verificationToken, err := token.CreateVerificationToken(email, constants.VerificationTypeForgotPassword, hostname, nonceHash, redirectURI)`
fix: forgot password redirect from app 2022-10-24 06:07:42 +00:00			`if err != nil {`
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`log.Debug("Failed to create verification token", err)`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`return nil, err`
fix: forgot password redirect from app 2022-10-24 06:07:42 +00:00			`}`
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`_, err = db.Provider.AddVerificationRequest(ctx, &models.VerificationRequest{`
			`Token: verificationToken,`
			`Identifier: constants.VerificationTypeForgotPassword,`
			`ExpiresAt: time.Now().Add(time.Minute * 30).Unix(),`
			`Email: email,`
			`Nonce: nonceHash,`
			`RedirectURI: redirectURI,`
			`})`
			`if err != nil {`
			`log.Debug("Failed to add verification request", err)`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`return nil, err`
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`}`
			`// execute it as go routine so that we can reduce the api latency`
			`go mailService.SendEmail([]string{email}, constants.VerificationTypeForgotPassword, map[string]interface{}{`
			`"user": user.ToMap(),`
			`"organization": utils.GetOrganization(),`
			`"verification_url": utils.GetForgotPasswordURL(verificationToken, redirectURI),`
			`})`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`return &model.ForgotPasswordResponse{`
			Message: `Please check your inbox! We have sent a password reset link.`,
			`}, nil`
fix: add token information in redirect url 2022-03-08 07:06:26 +00:00			`}`
feat: add forgot password for mobile login 2023-12-03 17:19:40 +00:00			`if isMobileLogin {`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			`expiresAt := time.Now().Add(1 * time.Minute).Unix()`
			`otp := utils.GenerateOTP()`
			`otpData, err := db.Provider.UpsertOTP(ctx, &models.OTP{`
			`Email: refs.StringValue(user.Email),`
			`PhoneNumber: refs.StringValue(user.PhoneNumber),`
			`Otp: otp,`
			`ExpiresAt: expiresAt,`
			`})`
			`if err != nil {`
			`log.Debug("Failed to add otp: ", err)`
			`return nil, err`
			`}`
			`mfaSession := uuid.NewString()`
			`err = memorystore.Provider.SetMfaSession(user.ID, mfaSession, expiresAt)`
			`if err != nil {`
			`log.Debug("Failed to add mfasession: ", err)`
			`return nil, err`
			`}`
			`cookie.SetMfaSession(gc, mfaSession)`
			`smsBody := strings.Builder{}`
			`smsBody.WriteString("Your verification code is: ")`
			`smsBody.WriteString(otpData.Otp)`
			`if err := smsproviders.SendSMS(phoneNumber, smsBody.String()); err != nil {`
			`log.Debug("Failed to send sms: ", err)`
			`// continue`
			`}`
			`return &model.ForgotPasswordResponse{`
			`Message: "Please enter the OTP sent to your phone number and change your password.",`
			`ShouldShowMobileOtpScreen: refs.NewBoolRef(true),`
			`}, nil`
fix: replace all logs 2022-05-24 07:20:33 +00:00			`}`
feat: add testing & ui for forgot password with mobile 2023-12-21 19:56:14 +00:00			return nil, fmt.Errorf(`email or phone number verification needs to be enabled`)
Add forgot password resolver Resolves #10 2021-07-18 09:56:29 +00:00			`}`