Skip to content

feat(users): implement force set and force change password #4564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
May 7, 2024
Merged

feat(users): implement force set and force change password #4564

merged 12 commits into from
May 7, 2024

Conversation

apoorvdixit88
Copy link
Contributor

Type of Change

  • Bugfix
  • New feature
  • Enhancement
  • Refactoring
  • Dependency updates
  • Documentation
  • CI/CD

Description

  • Allow users to set password when newly signing in
  • Allow users to force change password after specified duration of time

Additional Changes

  • This PR modifies the API contract
  • This PR modifies the database schema
  • This PR modifies application configuration/environment variables

Motivation and Context

Closes #4411

How did you test it?

Use the curl:

curl --location 'http://localhost:8080/user/rotate_password' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer JWT' \
--data '{
    "password": "new_password"
}'

Response will 200 Ok for all successful password change.

If current password and new password is same then response will be Invalid password error.

Checklist

  • I formatted the code cargo +nightly fmt --all
  • I addressed lints thrown by cargo clippy
  • I reviewed the submitted code
  • I added unit tests for my changes where possible

@apoorvdixit88 apoorvdixit88 added C-feature Category: Feature request or enhancement S-waiting-on-review Status: This PR has been implemented and needs to be reviewed M-database-changes Metadata: This PR involves database schema changes C-refactor Category: Refactor M-api-contract-changes Metadata: This PR involves API contract changes A-users Area: Users labels May 6, 2024
@apoorvdixit88 apoorvdixit88 requested review from racnan and ThisIsMani May 6, 2024 19:48
@apoorvdixit88 apoorvdixit88 self-assigned this May 6, 2024
@apoorvdixit88 apoorvdixit88 requested review from a team as code owners May 6, 2024 19:48
@apoorvdixit88 apoorvdixit88 changed the title Force set change password feat(users): implement force set and force change password May 6, 2024
ThisIsMani
ThisIsMani reviewed May 7, 2024
View reviewed changes
crates/router/src/services/authentication.rs Outdated
Comment on lines 350 to 375
#[cfg(feature = "olap")]
#[async_trait]
impl<A> AuthenticateAndFetch<(), A> for SinglePurposeJWTAuth
where
A: AppStateInfo + Sync,
{
async fn authenticate_and_fetch(
&self,
request_headers: &HeaderMap,
state: &A,
) -> RouterResult<((), AuthenticationType)> {
let payload = parse_jwt_payload::<A, SinglePurposeToken>(request_headers, state).await?;
if payload.check_in_blacklist(state).await? {
return Err(errors::ApiErrorResponse::InvalidJwtToken.into());
}

Ok((
(),
AuthenticationType::SinglePurposeJWT {
user_id: payload.user_id,
purpose: payload.purpose,
},
))
}
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this needed.

crates/router/src/types/domain/user/decision_manager.rs
@@ -43,8 +43,7 @@ impl SPTFlow {
Self::AcceptInvitationFromEmail | Self::ResetPassword => Ok(true),
Self::VerifyEmail => Ok(user.0.is_verified),
// Final Checks
// TODO: this should be based on last_password_modified_at as a placeholder using false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change the From impl for SPTFlow -> Token Purpose

ThisIsMani
ThisIsMani reviewed May 7, 2024
View reviewed changes
crates/router/src/db/user.rs
is_verified: is_verified.unwrap_or(user.is_verified),
preferred_merchant_id: preferred_merchant_id
.clone()
.or(user.preferred_merchant_id.clone()),
..user.to_owned()
},
storage::UserUpdate::PasswordUpdate { password } => storage::User {
password: password.clone().unwrap_or(user.password.clone()),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add last_password_changed_at here.

ThisIsMani
ThisIsMani previously approved these changes May 7, 2024
View reviewed changes
racnan
racnan previously approved these changes May 7, 2024
View reviewed changes
@likhinbopanna likhinbopanna added this pull request to the merge queue May 7, 2024
Merged via the queue into main with commit 59e79ff May 7, 2024
@likhinbopanna likhinbopanna deleted the force-set-change-password branch May 7, 2024 14:25
@pixincreate pixincreate removed the S-waiting-on-review Status: This PR has been implemented and needs to be reviewed label May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@racnan racnan racnan approved these changes

@ThisIsMani ThisIsMani ThisIsMani approved these changes

Assignees

@apoorvdixit88 apoorvdixit88

Labels
A-users Area: Users C-feature Category: Feature request or enhancement C-refactor Category: Refactor M-api-contract-changes Metadata: This PR involves API contract changes M-database-changes Metadata: This PR involves database schema changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Force password reset
5 participants
@apoorvdixit88 @racnan @ThisIsMani @pixincreate @likhinbopanna