Feature/recover password

[jamcunha]

Closes #84

Review checklist

• Properly documents API changes in docs/openapi.yml
• Contains enough appropriate tests
• Behavior is as expected
• Clean, well structured code

[BrunoRosendo]

The logic looks good overall. I didn't do a careful review since this is just a draft

[codecov]

Codecov Report

Patch coverage: 26.08% and project coverage change: -3.64 ⚠️

Comparison is base (af68fd8) 88.99% compared to head (36812a3) 85.36%.

❗ Current head 36812a3 differs from pull request most recent head 1be6f37. Consider uploading reports for the commit 1be6f37 to get more accurate results

Additional details and impacted files

@@              Coverage Diff              @@
##             develop     #113      +/-   ##
=============================================
- Coverage      88.99%   85.36%   -3.64%     
+ Complexity       361      234     -127     
=============================================
  Files             63       43      -20     
  Lines            827      567     -260     
  Branches          65       29      -36     
=============================================
- Hits             736      484     -252     
- Misses            57       62       +5     
+ Partials          34       21      -13     

Impacted Files	Coverage Δ
...ni/website/backend/controller/AccountController.kt	83.33% <0.00%> (-16.67%)	⬇️
...fe/ni/website/backend/controller/AuthController.kt	83.33% <0.00%> (-16.67%)	⬇️
.../fe/ni/website/backend/dto/auth/PassRecoveryDto.kt	0.00% <0.00%> (ø)
...pt/up/fe/ni/website/backend/service/AuthService.kt	91.48% <0.00%> (-4.07%)	⬇️
.../up/fe/ni/website/backend/service/ErrorMessages.kt	71.42% <ø> (-19.49%)	⬇️
...up/fe/ni/website/backend/service/AccountService.kt	61.53% <28.57%> (-38.47%)	⬇️
...ebsite/backend/config/auth/AuthConfigProperties.kt	100.00% <100.00%> (ø)

... and 51 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[BrunoRosendo]

@jamcunha Is this ready for review or do you still have some doubts? We can talk about it in the next meeting or in 1on1

[bdmendes]

The code looks good to me. To improve security a bit, we can look into serializing the current password into the jwt to make sure it is only used once: https://stackoverflow.com/a/54865104

[github-actions]

Check the documentation preview: https://649ca04ed8b19e215c607a56--niaefeup-backend-docs.netlify.app

[github-actions]

Check the documentation preview: https://649ca1498b322b02fcdd527a--niaefeup-backend-docs.netlify.app

[BrunoRosendo]

Very good job with this implementation! I left some comments with small suggestions and doubts

[github-actions]

Check the documentation preview: https://64a0e585de74510aa07bd843--niaefeup-backend-docs.netlify.app

[BrunoRosendo]

Good job, I left a small comment but I'm pre-approving. It'd be nice if you could review your commits too, maybe squash a few

[github-actions]

Check the documentation preview: https://64a1a0168cd57a5fc9cb1bc4--niaefeup-backend-docs.netlify.app

[BrunoRosendo]

Regarding the latest change, where do you check to see if the hash present in the jwt is the same as the one in the db?

[BrunoRosendo]

Regarding the latest change, where do you check to see if the hash present in the jwt is the same as the one in the db?

nevermind this comment, I was looking at the wrong diff

[BrunoRosendo]

can you create 1/2 tests for the latest change? Maybe 1 where a user tries to use the same recovery link twice and another one just to check for missing hash (if the last one isn't too hard)

[DoStini]

For security reasons, users should not be able to know if a email is registered in a website, so the request should always be Ok 200

[DoStini]

Overall looking good, just left some comments to improve the RESTiness of the API and privacy concerning issues 🚀

[bdmendes]

What if the hash is not in the payload (since we have that option)? You can simply let it be null and skip the next check if that is the case.

[jamcunha]

Just changed the recovery URL request to be provided with the email instead of the id and removed errors related to invalid tokens, logging them instead.

Seems weird to me that this is in a different controller.

I suggest either moving everything to auth controller or to account controller.

Besides that, there are two requests with a similar URL recoverPassword.

I suggest the following routes in AuthController: post -> password/recovery with email in body post -> password/recovery/{token}/confirm post -> password/update

The tests may be lacking because I didn't want to test more without making these changes.

[github-actions]

Check the documentation preview: https://64a5f916ff15070f4706ee8a--niaefeup-backend-docs.netlify.app

[BrunoRosendo]

small changes, Im also waiting for @DoStini response on my comment

[BrunoRosendo]

Is the logger being used?

[github-actions]

Check the documentation preview: https://64aae9d16ffd10485fee1ef9--niaefeup-backend-docs.netlify.app

[BrunoRosendo]

Small comments, besides the one still unresolved

Also, can you find a way to test the uncovered (red) lines? It'd be awesome if it's not too much trouble

[BrunoRosendo]

Suggested change

	fun generateRecoveryToken(email: String): String? {
	fun generateRecoveryToken(email: String): String {

Correct me if I'm wrong but I believe it can't be null

[jamcunha]

Small comments, besides the one still unresolved

Also, can you find a way to test the uncovered (red) lines? It'd be awesome if it's not too much trouble

I'm having problems trying to test those two lines because when testing token expiration, I try to create a new token with all the claims of the previous token but modifying the expireAt to Instant.now() but it's caught in an exception when trying to decode in confirmRecoveryToken. I think it's the same for passwordHash claim.

[github-actions]

Check the documentation preview: https://64c92675c420e6299b59bee0--niaefeup-backend-docs.netlify.app

[jamcunha]

For now, I only changed the error handling in the recovery logic so as not to mess up with the tests. After some inputs, I will change the handling for other jwt logic.

[BrunoRosendo]

Needs a rebase but I'm pre-approving

[LuisDuarte1]

LGTM 🚀, it looks clean to me, just solve the conflicts below 😅

[LuisDuarte1]

@jamcunha can you fix the conflicts please?

[github-actions]

Check the documentation preview: https://64efb2c789311e0a7eba43ac--niaefeup-backend-docs.netlify.app

[DoStini]

Make this return OK all the time and comment on what is supposed to go on an email. If someone wants to test this right away, one can simply print the result. It is safer to leave the correct behavior already implemented.

Suggested change

	val recoveryToken = authService.generateRecoveryToken(recoveryRequestDto.email)
	?: return emptyMap()
	// TODO: Change to email service
	return mapOf("recovery_url" to "$recoverPasswordPage/$recoveryToken/confirm")
	val recoveryToken = authService.generateRecoveryToken(recoveryRequestDto.email)
	?: return emptyMap()
	// TODO: Add email service with payload "$recoverPasswordPage/$recoveryToken/
	return ""

[DoStini]

I'm not sure about the return "", but it should always be status 200.

Also document on why this is done for security reasons, in order to not leak what are the emails associated with our service

[jamcunha]

Couldn't we have it return the recovery link for now so we can test the feature and remove it when the email service is complete?

If I'm not wrong it always returns status 200.

[DoStini]

Why the changes here?

[jamcunha]

I removed the try catch block and handled the exception in the ErrorController and the token expiration validation is already handled in the decode() method.

[DoStini]

If the error is not the expected one (account not found), log the error so that developers can more easily find the problem

[jamcunha]

If someone uses an email that's not related to an account it would trigger the exception. I don't think we should log this.

[DoStini]

This function also updates the account password, so I don't think this is the best name. I would either change the function name a little but, or extract the update logic and use this as an auxiliary function to validate the token

[DoStini]

As I explained before, this is not the expected behavior. Both cases will return empty and ok status.

What you should do is test the request returns empty and ok both times, but also to test if the first situation does not call the generate token function. I think the easiest way would be by mocking JwtClaimsSet and verifying if some of those functions do not get called.

[jamcunha]

Same as above, this could be as is for now and changed when the email service is implemented.
Can leave a comment to remind that.

[DoStini]

Suggested change

	val recoveryToken = authService.generateRecoveryToken(recoveryRequestDto.email)
	?: return emptyMap()
	val recoveryToken = authService.generateRecoveryToken(recoveryRequestDto.email)