Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reset password #262

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Reset password #262

wants to merge 14 commits into from

Conversation

Aboisier
Copy link
Collaborator

@Aboisier Aboisier commented Apr 27, 2024
edited

What's new?

This branch implements the reset password feature.

  • Add new "user-reset-password"
  • Add basic support for unique token authentication
  • Add basic support for "magic links"
  • Add basic support for sending emails using MailJet, mjml and handlebars
  • Fix card size bug in login page

TODO

  • Fix boken test

@Aboisier Aboisier requested a review from lm-sec April 29, 2024 12:08
lm-sec
lm-sec reviewed Jun 4, 2024
View reviewed changes
Copy link
Collaborator

@lm-sec lm-sec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Très bonne PR, juste une chose, est-ce que le onboarding du premier user change avec cette PR? Parce que tu as supprimé le first component, qui servait à créer le premier user ever en cas de déploiment prod, et j'ai pas vu de code qui crée un user initial. Possible que je l'aie manqué though. Je le vois pas dans les variables de devspace en tous cas.

packages/backend/jobs-manager/service/src/modules/auth/auth.controller.ts
*/
@Get('setup')
async getIsSetup(): Promise<any> {
return { isSetup: await this.authService.isAuthenticationSetup() };
}

private async loginCore(req: any) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the type here is something like ExpressRequest or something

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

import { Request } from 'express';
// [...]

private async loginCore(req: Request) {

packages/backend/jobs-manager/service/src/modules/auth/auth.e2e-spec.ts
refresh = r.body.refresh_token;
});

it('Should connect as the magic link user (POST /auth/login-magic-link)', async () => {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
it('Should connect as the magic link user (POST /auth/login-magic-link)', async () => {
it('Should not connect as the magic link user (POST /auth/login-magic-link)', async () => {

packages/backend/jobs-manager/service/src/modules/database/users/user.service.spec.ts
expect(authenticatedUser).toBeUndefined();
});

it('Should return access token when magic token does not exist', async () => {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
it('Should return access token when magic token does not exist', async () => {
it('Should not return access token when magic token does not exist', async () => {

packages/backend/jobs-manager/service/src/modules/database/users/user.service.spec.ts
expect(token).toBeNull();
});

it('Should return access token when magic token is expired', async () => {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
it('Should return access token when magic token is expired', async () => {
it('Should not return access token when magic token is expired', async () => {

packages/backend/jobs-manager/service/src/modules/database/users/users.controller.ts
Comment on lines +207 to +215
async requestPasswordReset(
@Request() request: any,
@Body() dto: ResetPasswordRequestDto,
) {
if (!dto.email) throw new BadRequestException();

await this.usersService.createPasswordResetRequest(dto.email);
}
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would not await the call to create a password reset.

await this.usersService.createPasswordResetRequest(dto.email);

It is a common time based user enumeration technique. The reply time would be longer for a valid user than for an invalid user, since the backend sends an email. Not awaiting the call would make for a more constant response time.

...es/backend/jobs-manager/service/src/modules/notifications/emails/email-templates.provider.ts
Comment on lines +30 to +32
private replaceValues(template: string, context: unknown) {
return compile(template)(context);
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

De ce que j'ai lu, handle bars HTML encode par défaut pour toi tant que tu as mis les deux accolades et pas trois. C'est great! 💯

packages/backend/jobs-manager/service/src/modules/notifications/emails/null-email.service.ts
Comment on lines +4 to +11
export class NullEmailService implements EmailService {
public sendResetPassword(
context: ResetPasswordContext,
recipients: EmailRecipient[],
): Promise<void> {
return Promise.resolve();
}
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Vraiment bien pensé de pouvoir fonctionner même sans email service 💡

packages/backend/jobs-manager/service/src/modules/notifications/emails/mailjet-email.service.ts
}
}

private filterRecipients(recipients: EmailRecipient[]) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fancy 🍸

packages/backend/jobs-manager/service/src/modules/notifications/notifications-constants.ts
Comment on lines +16 to +19
export const EMAIL_RECIPIENTS_FILTER_LIST_MODE =
process.env.JM_ENVIRONMENT === JM_ENVIRONMENTS.prod
? 'block-list'
: 'allow-list';
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On devrait surement faire une page de doc qui explique ces différentes valeurs configurables

packages/frontend/stalker-app/src/app/app-routing.module.ts
Comment on lines -112 to +136
path: 'first',
component: FirstComponent,
path: 'reset',
loadComponent: () =>
import('./modules/auth/reset/reset-password.component').then((c) => c.ResetPasswordComponent),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Le component first servait à créer le premier user ever lors du déploiment, est-ce que la façon de créer le premier user a changé?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

À moins que j'ai manqué la création du premier user de l'app dans le code, je pense que ce component est possiblement encore nécessaire?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lm-sec lm-sec lm-sec left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Aboisier @lm-sec