feat: password history

restorecommerce · Nov 12, 2024 · ecf1041 · ecf1041
1 parent e7ddfbc
commit ecf1041
Show file tree

Hide file tree

Showing 6 changed files with 73 additions and 8 deletions.
diff --git a/cfg/config.json b/cfg/config.json
@@ -25,7 +25,10 @@
     "minUsernameLength": 8,
     "maxUsernameLength": 40,
     "passwordComplexityMinScore": 3,
-    "passwordMinLength": 12
+    "passwordMinLength": 12,
+    "passwordHistoryEnabled": true,
+    "passwordHistorySize": 3,
+    "passwordHistoryEnforcement": false
   },
   "logger": {
     "console": {
@@ -423,4 +426,4 @@
     "users": "./data/seed_data/seed-accounts.json",
     "roles": "./data/seed_data/seed-roles.json"
   }
-}
+}
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -22,7 +22,7 @@
     "@restorecommerce/grpc-client": "^2.2.5",
     "@restorecommerce/kafka-client": "1.2.18",
     "@restorecommerce/logger": "^1.3.2",
-    "@restorecommerce/rc-grpc-clients": "5.1.40",
+    "@restorecommerce/rc-grpc-clients": "5.1.41",
     "@restorecommerce/resource-base-interface": "^1.6.2",
     "@restorecommerce/scs-jobs": "0.1.45",
     "@restorecommerce/service-config": "^1.0.16",

diff --git a/src/service.ts b/src/service.ts
@@ -1596,6 +1596,28 @@ export class UserService extends ServiceBase<UserListResponse, UserList> impleme
         return returnOperationStatus(400, `Password is too weak The password score is ${resultPasswordChecker.score}/4, minimum score is ${minScore}. Suggestions: ${resultPasswordChecker.feedback.suggestions} & ${resultPasswordChecker.feedback.warning} User ID ${user.id}`);
       }
 
+      if (this.cfg.get('service:passwordHistoryEnabled')) {
+        if (!('password_hash_history' in user)) {
+          user.password_hash_history = [];
+        }
+
+        if (this.cfg.get('service:passwordHistoryEnforcement')) {
+          for (const old_hash of user.password_hash_history) {
+            if (!password.verify(old_hash, newPw)) {
+              logger.error(`This password has recently been used. User ID:`, user.id);
+              return returnOperationStatus(400, `This password has recently been used. User ID ${user.id}`);
+            }
+          }
+        }
+
+        user.password_hash_history.unshift(user.password_hash);
+
+        const limit = this.cfg.get('service:passwordHistorySize');
+        if (limit > 0) {
+          user.password_hash_history = user.password_hash_history.slice(0, limit);
+        }
+      }
+
       user.password_hash = password.hash(newPw);
       const updateStatus = await super.update(UserList.fromPartial({
         items: [user]

diff --git a/test/cfg/config.json b/test/cfg/config.json
@@ -26,7 +26,10 @@
     "passwordMinLength": 12,
     "data": {
       "url": "https://www.google.com/"
-    }
+    },
+    "passwordHistoryEnabled": true,
+    "passwordHistorySize": 3,
+    "passwordHistoryEnforcement": true
   },
   "logger": {
     "console": {

diff --git a/test/service.spec.ts b/test/service.spec.ts
@@ -1187,6 +1187,43 @@ describe('testing identity-srv', () => {
           upUser.activation_code!.should.be.empty();
           upUser.password_hash!.should.not.equal(pwHashA);
         });
+
+        it('should fail to change the password if it was used before', async function changePasswordFail(): Promise<void> {
+          // store token to Redis as passwordChange looks up the user based on token (as this operation is for logged in user)
+          let expires_in = new Date(); // set expires_in to +1 day
+          expires_in.setDate(expires_in.getDate() + 1);
+          let userWithToken = {
+            name: 'test.user1', // user registered initially, storing with token in DB
+            first_name: 'test',
+            last_name: 'user',
+            password: 'CNQJrH%43KAayeDpf3h',
+            email: '[email protected]',
+            token: 'user-token',
+            tokens: [{
+              token: 'user-token',
+              expires_in
+            }]
+          };
+          const redisConfig = cfg.get('redis');
+          // for findByToken
+          redisConfig.database = cfg.get('redis:db-indexes:db-findByToken') || 0;
+          tokenRedisClient = RedisCreateClient(redisConfig);
+          tokenRedisClient.on('error', (err) => logger.error('Redis client error in token cache store', err));
+          await tokenRedisClient.connect();
+          // store user with tokens and role associations to Redis index `db-findByToken`
+          await tokenRedisClient.set('user-token', JSON.stringify(userWithToken));
+
+          this.timeout(30000);
+          const changeResult = await (userService.changePassword({
+            password: 'CNQJrH%44KAayeDpf3h',
+            new_password: 'CNQJrH%43KAayeDpf3h',
+            subject: { token: 'user-token' }
+          }));
+          should.exist(changeResult);
+          should.exist(changeResult.operation_status);
+          changeResult.operation_status!.code!.should.equal(400);
+          changeResult.operation_status!.message!.should.match(/This password has recently been used. User ID .*/);
+        });
       });
 
       describe('calling changeEmail', function changeEmailId(): void {