Feature/1677 update password policy

packages/coinstac-api-server/seed/populate.js

@@ -861,6 +861,7 @@ async function populateUsers() {
       [CONSORTIA_IDS[0]]: 'none',
       [CONSORTIA_IDS[1]]: 'none',
     },
+    passwordChangedAt: new Date(),
   }, password);
 
   await helperFunctions.createUser({
@@ -886,6 +887,7 @@ async function populateUsers() {
       [CONSORTIA_IDS[0]]: 'none',
       [CONSORTIA_IDS[1]]: 'none',
     },
+    passwordChangedAt: new Date(),
   }, password);
 
   await helperFunctions.createUser({
@@ -911,6 +913,7 @@ async function populateUsers() {
       [CONSORTIA_IDS[0]]: 'none',
       [CONSORTIA_IDS[1]]: 'none',
     },
+    passwordChangedAt: new Date(),
   }, password);
 
   await helperFunctions.createUser({
@@ -936,6 +939,7 @@ async function populateUsers() {
       [CONSORTIA_IDS[0]]: 'none',
       [CONSORTIA_IDS[1]]: 'none',
     },
+    passwordChangedAt: new Date(),
   }, password);
 
   await helperFunctions.createUser({
@@ -961,6 +965,7 @@ async function populateUsers() {
       [CONSORTIA_IDS[0]]: 'none',
       [CONSORTIA_IDS[1]]: 'none',
     },
+    passwordChangedAt: new Date(),
   }, password);
 
   await helperFunctions.createUser({
@@ -982,6 +987,7 @@ async function populateUsers() {
         author: false,
       },
     },
+    passwordChangedAt: new Date(),
   }, password);
 
   const adminPassword = await helperFunctions.hashPassword(process.argv[3]
@@ -1007,6 +1013,7 @@ async function populateUsers() {
       [CONSORTIA_IDS[0]]: 'none',
       [CONSORTIA_IDS[1]]: 'none',
     },
+    passwordChangedAt: new Date(),
   }, adminPassword);
 }
 

packages/coinstac-api-server/src/auth-helpers.js

@@ -9,6 +9,8 @@ const { eventEmitter, USER_CHANGED } = require('./data/events');
 
 sgMail.setApiKey(process.env.SENDGRID_API_KEY);
 
+const passwordLifeTime = 180;
+
 const audience = 'coinstac';
 const issuer = 'coinstac';
 const subject = 'coinstac';
@@ -84,6 +86,7 @@ const helperFunctions = {
         pipelines: {},
       },
       consortiaStatuses: user.consortiaStatuses || {},
+      passwordChangedAt: new Date(),
     };
 
     const db = database.getDbInstance();
@@ -341,11 +344,21 @@ const helperFunctions = {
       req.payload.password, user.passwordHash
     );
 
-    if (passwordMatch) {
-      return h.response(transformToClient(user));
+    if (!passwordMatch) {
+      return Boom.unauthorized('Incorrect username or password');
+    }
+
+    const { passwordChangedAt } = user;
+    const currentDate = new Date();
+    const difference = Math.ceil(
+      (currentDate.getTime() - passwordChangedAt.getTime()) / (1000 * 3600 * 24)
+    );
+
+    if (difference >= passwordLifeTime) {
+      return Boom.unauthorized('Password is expired');
     }
 
-    return Boom.unauthorized('Incorrect username or password');
+    return h.response(transformToClient(user));
   },
   /**
    * Validate api key used by headless client
@@ -407,12 +420,42 @@ const helperFunctions = {
     }
   },
   /**
-   * Reset password
-   * @param {object} password token for resetting password
+   * Confirms that submitted token is valid
+   * @param {object} req request
+   * @param {object} res response
+   * @return {object} The requested object
+   */
+  async validateResetPassword(req, h) {
+    const db = database.getDbInstance();
+    const user = await db.collection('users').findOne({ username: req.payload.username });
+
+    if (!user) {
+      return Boom.badRequest('Invalid user');
+    }
+
+    const passwordMatch = await helperFunctions.verifyPassword(
+      req.payload.currentPassword, user.passwordHash
+    );
+
+    if (!passwordMatch) {
+      return Boom.badRequest('Current Password is not correct');
+    }
+
+    const isPasswordValid = helperFunctions.validatePasswordWithRegEx(req.payload.newPassword);
+
+    if (!isPasswordValid) {
+      return Boom.badRequest('New Password is not valid');
+    }
+
+    return h.response();
+  },
+  /**
+   * Reset forgot password
+   * @param {object} token token for resetting password
    * @param {object} password new password
    * @return {object}
    */
-  async resetPassword(token, password) {
+  async resetForgotPassword(token, password) {
     const db = database.getDbInstance();
 
     const newPassword = await helperFunctions.hashPassword(password);
@@ -423,6 +466,29 @@ const helperFunctions = {
       $set: {
         passwordHash: newPassword,
         passwordResetToken: '',
+        passwordChangedAt: new Date(),
+      },
+    }, {
+      returnOriginal: false,
+    });
+  },
+  /**
+   * Reset password
+   * @param {object} username username
+   * @param {object} password new password
+   * @return {object}
+   */
+  async resetPassword(username, password) {
+    const db = database.getDbInstance();
+
+    const newPassword = await helperFunctions.hashPassword(password);
+
+    return db.collection('users').updateOne({
+      username,
+    }, {
+      $set: {
+        passwordHash: newPassword,
+        passwordChangedAt: new Date(),
       },
     }, {
       returnOriginal: false,
@@ -499,6 +565,10 @@ const helperFunctions = {
       return Boom.badRequest('invalid user/run combination');
     }
   },
+  validatePasswordWithRegEx(password) {
+    const PASSWORD_PATTERN = /^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[#?!@$%^&*-]).{8,}$/g;
+    return PASSWORD_PATTERN.test(password);
+  },
   audience,
   issuer,
   subject,

packages/coinstac-api-server/src/routes/auth.js

@@ -68,6 +68,10 @@ module.exports = [
         { method: helperFunctions.validateUniqueUser },
       ],
       handler: async (req, h) => {
+        const isPasswordValid = helperFunctions.validatePassword(req.payload.password);
+        if (!isPasswordValid) {
+          return h.response('Invalid password').code(400);
+        }
         const passwordHash = await helperFunctions.hashPassword(req.payload.password);
         const user = await helperFunctions.createUser(req.payload, passwordHash);
         const {
@@ -141,13 +145,26 @@ module.exports = [
   },
   {
     method: 'POST',
-    path: '/resetPassword',
+    path: '/resetForgotPassword',
     config: {
       auth: false,
       pre: [{ method: helperFunctions.validateResetToken }],
       handler: (req, h) => {
         return helperFunctions
-          .resetPassword(req.payload.token, req.payload.password)
+          .resetForgotPassword(req.payload.token, req.payload.password)
+          .then(() => h.response().code(204));
+      },
+    },
+  },
+  {
+    method: 'POST',
+    path: '/resetPassword',
+    config: {
+      auth: false,
+      pre: [{ method: helperFunctions.validateResetPassword }],
+      handler: (req, h) => {
+        return helperFunctions
+          .resetPassword(req.payload.username, req.payload.newPassword)
           .then(() => h.response().code(204));
       },
     },

packages/coinstac-api-server/tests/resolvers.test.js

@@ -95,7 +95,7 @@ test('decodeToken', (t) => {
   t.is(decoded.id, username);
 });
 
-test('createPasswordResetToken, savePasswordResetToken, validateResetToken and resetPassword', async (t) => {
+test('createPasswordResetToken, savePasswordResetToken, validateResetToken and resetForgotPassword', async (t) => {
   /* createPasswordResetToken */
   const email = '[email protected]';
   const token = helperFunctions.createPasswordResetToken(email);
@@ -133,9 +133,9 @@ test('createPasswordResetToken, savePasswordResetToken, validateResetToken and r
   t.is(error.message, INVALID_EMAIL);
   jwt.verify.restore();
 
-  /* resetPassword */
+  /* resetForgotPassword */
   const newPassword = 'newPassword';
-  await helperFunctions.resetPassword(token, newPassword);
+  await helperFunctions.resetForgotPassword(token, newPassword);
   const res = await helperFunctions.getUserDetailsByID(USER_IDS[0]);
   const isValid = await helperFunctions.verifyPassword(newPassword, res.passwordHash);
   t.true(isValid);

packages/coinstac-api-server/tests/routes.test.js

@@ -225,8 +225,8 @@ test('sendPasswordResetEmail', async (t) => {
 });
 
 
-test('resetPassword', async (t) => {
-  const createAccount = find(authRoutes, { path: '/resetPassword' });
+test('resetForgotPassword', async (t) => {
+  const createAccount = find(authRoutes, { path: '/resetForgotPassword' });
 
   const req = {
     payload: {
@@ -235,7 +235,7 @@ test('resetPassword', async (t) => {
     },
   };
 
-  sinon.stub(helperFunctions, 'resetPassword').resolves();
+  sinon.stub(helperFunctions, 'resetForgotPassword').resolves();
 
   const res = {
     response: () => ({
@@ -247,7 +247,7 @@ test('resetPassword', async (t) => {
 
   await createAccount.config.handler(req, res);
 
-  helperFunctions.resetPassword.restore();
+  helperFunctions.resetForgotPassword.restore();
 });
 
 test('version', (t) => {