Add reset password commands

Author: azimux

Gemfile.lock

@@ -43,29 +43,31 @@ GEM
     ffi-compiler (1.3.2)
       ffi (>= 1.15.5)
       rake
-    foob (0.0.12)
-      foobara
-      foobara-command-generator
-      foobara-domain-generator
-      foobara-domain-mapper-generator
-      foobara-empty-ruby-project-generator
-      foobara-empty-typescript-react-project-generator
-      foobara-local-files-crud-driver-generator
-      foobara-organization-generator
-      foobara-rack-connector-generator
-      foobara-redis-crud-driver-generator
-      foobara-remote-imports-generator
-      foobara-resque-connector-generator
-      foobara-resque-scheduler-connector-generator
+    foob (0.0.13)
+      foobara (~> 0.0.99)
+      foobara-command-generator (~> 0.0.1)
+      foobara-domain-generator (~> 0.0.1)
+      foobara-domain-mapper-generator (~> 0.0.1)
+      foobara-empty-ruby-project-generator (~> 0.0.1)
+      foobara-empty-typescript-react-project-generator (~> 0.0.1)
+      foobara-local-files-crud-driver-generator (~> 0.0.1)
+      foobara-mcp-connector-generator (~> 0.0.1)
+      foobara-organization-generator (~> 0.0.1)
+      foobara-rack-connector-generator (~> 0.0.1)
+      foobara-redis-crud-driver-generator (~> 0.0.1)
+      foobara-remote-imports-generator (~> 0.0.1)
+      foobara-resque-connector-generator (~> 0.0.1)
+      foobara-resque-scheduler-connector-generator (~> 0.0.1)
       foobara-sh-cli-connector (~> 0.0.10)
-      foobara-sh-cli-connector-generator
-      foobara-type-generator
-      foobara-typescript-react-command-form-generator
-      foobara-typescript-remote-command-generator
-    foobara (0.0.96)
+      foobara-sh-cli-connector-generator (~> 0.0.1)
+      foobara-type-generator (~> 0.0.1)
+      foobara-typescript-react-command-form-generator (~> 0.0.1)
+      foobara-typescript-remote-command-generator (~> 0.0.1)
+    foobara (0.0.102)
       bigdecimal
       foobara-lru-cache (~> 0.0.2)
       foobara-util (~> 0.0.11)
+      inheritable-thread-vars (~> 0.0.1)
     foobara-command-generator (0.0.3)
       foobara
       foobara-files-generator
@@ -90,6 +92,8 @@ GEM
       foobara
       foobara-files-generator
     foobara-lru-cache (0.0.2)
+    foobara-mcp-connector-generator (0.0.1)
+      foobara (~> 0.0.99)
     foobara-organization-generator (0.0.2)
       foobara
       foobara-files-generator
@@ -110,7 +114,7 @@ GEM
     foobara-rubocop-rules (0.0.8)
       rubocop
       rubocop-rspec
-    foobara-sh-cli-connector (0.0.13)
+    foobara-sh-cli-connector (0.0.15)
       foobara (~> 0.0.88)
     foobara-sh-cli-connector-generator (0.0.4)
       foobara-files-generator (~> 0.0.1)
@@ -142,6 +146,7 @@ GEM
       guard-compat (~> 1.1)
       rspec (>= 2.99.0, < 4.0)
     hashdiff (1.1.2)
+    inheritable-thread-vars (0.0.1)
     io-console (0.8.0)
     irb (1.15.2)
       pp (>= 0.6.0)
@@ -164,7 +169,7 @@ GEM
       shellany (~> 0.0)
     ostruct (0.6.1)
     parallel (1.26.3)
-    parser (3.3.7.4)
+    parser (3.3.8.0)
       ast (~> 2.4.1)
       racc
     pp (0.6.2)
@@ -220,7 +225,7 @@ GEM
       rubocop-ast (>= 1.44.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.44.0)
+    rubocop-ast (1.44.1)
       parser (>= 3.3.7.2)
       prism (~> 1.4)
     rubocop-rake (0.7.1)

spec/create_reset_password_token_spec.rb

@@ -0,0 +1,34 @@
+RSpec.describe Foobara::Auth::CreateResetPasswordToken do
+  after { Foobara.reset_alls }
+
+  before do
+    Foobara::Persistence.default_crud_driver = Foobara::Persistence::CrudDrivers::InMemory.new
+  end
+
+  let(:command) { described_class.new(inputs) }
+  let(:outcome) { command.run }
+  let(:result) { outcome.result }
+  let(:errors) { outcome.errors }
+  let(:errors_hash) { outcome.errors_hash }
+
+  let(:user) do
+    Foobara::Auth::CreateUser.run!(username: "Basil", email: "[email protected]", plaintext_password:)
+  end
+  let(:plaintext_password) { "somepassword" }
+
+  let(:inputs) do
+    { user: user.id }
+  end
+
+  it "sets the user's reset_password_token" do
+    user_id = user.id
+
+    expect {
+      expect(outcome).to be_success
+    }.to change {
+      Foobara::Auth::Types::User.transaction do
+        Foobara::Auth::Types::User.load(user_id).reset_password_token&.id
+      end
+    }
+  end
+end

spec/reset_password_spec.rb

@@ -0,0 +1,158 @@
+RSpec.describe Foobara::Auth::ResetPassword do
+  after { Foobara.reset_alls }
+
+  before do
+    Foobara::Persistence.default_crud_driver = Foobara::Persistence::CrudDrivers::InMemory.new
+  end
+
+  let(:command) { described_class.new(inputs) }
+  let(:outcome) { command.run }
+  let(:result) { outcome.result }
+  let(:errors) { outcome.errors }
+  let(:errors_hash) { outcome.errors_hash }
+
+  let(:user) do
+    Foobara::Auth::CreateUser.run!(username: "Basil", email: "[email protected]", plaintext_password:)
+  end
+  let(:plaintext_password) { "somepassword" }
+  let(:old_password) { plaintext_password }
+  let(:new_password) { "somenewpassword" }
+  let(:reset_password_token_secret) do
+    Foobara::Auth::CreateResetPasswordToken.run!(user: user.id)
+  end
+
+  context "when using a reset password token" do
+    let(:inputs) do
+      { reset_password_token_secret:, new_password: }
+    end
+
+    it "is successful and we can verify with the new password after resetting" do
+      expect(
+        Foobara::Auth::VerifyPassword.run!(user: user.id, plaintext_password: old_password)
+      ).to be true
+      expect(
+        Foobara::Auth::VerifyPassword.run!(user: user.id, plaintext_password: new_password)
+      ).to be false
+
+      expect(outcome).to be_success
+      expect(result).to be_a(Foobara::Auth::Types::User)
+
+      expect(
+        Foobara::Auth::VerifyPassword.run!(user: user.id, plaintext_password: old_password)
+      ).to be false
+      expect(
+        Foobara::Auth::VerifyPassword.run!(user: user.id, plaintext_password: new_password)
+      ).to be true
+    end
+
+    it "marks the original refresh token as used" do
+      reset_password_token_secret
+
+      reloaded_user = Foobara::Auth::FindUser.run!(id: user.id)
+      reset_token_id = reloaded_user.reset_password_token.id
+
+      expect {
+        expect(outcome).to be_success
+      }.to change {
+        Foobara::Auth::Types::User.transaction do
+          Foobara::Auth::Types::Token.load(reset_token_id).inactive?
+        end
+      }.from(false).to(true)
+    end
+
+    context "with an invalid refresh token" do
+      let(:inputs) do
+        { reset_password_token_secret: invalid_token, new_password: }
+      end
+      let(:invalid_token) do
+        text = reset_password_token_secret.dup
+        text[-5] = text[-5] == "x" ? "y" : "x"
+        text
+      end
+
+      it "fails with appropriate error" do
+        expect(outcome).to_not be_success
+        expect(outcome.errors_hash).to include("runtime.invalid_reset_password_token")
+      end
+    end
+
+    context "when the reset password token has been replaced" do
+      it "fails with the expected error" do
+        reset_password_token_secret
+        Foobara::Auth::CreateResetPasswordToken.run!(user: user.id)
+
+        expect(outcome).to_not be_success
+        expect(outcome.errors_hash.keys).to include("runtime.user_not_found_for_reset_token")
+      end
+    end
+  end
+
+  context "when using the old password to reset" do
+    let(:inputs) do
+      { user: user.id, old_password:, new_password: }
+    end
+
+    it "is successful and we can verify with the new password after resetting" do
+      expect(
+        Foobara::Auth::VerifyPassword.run!(user: user.id, plaintext_password: old_password)
+      ).to be true
+      expect(
+        Foobara::Auth::VerifyPassword.run!(user: user.id, plaintext_password: new_password)
+      ).to be false
+
+      expect(outcome).to be_success
+      expect(result).to be_a(Foobara::Auth::Types::User)
+
+      expect(
+        Foobara::Auth::VerifyPassword.run!(user: user.id, plaintext_password: old_password)
+      ).to be false
+      expect(
+        Foobara::Auth::VerifyPassword.run!(user: user.id, plaintext_password: new_password)
+      ).to be true
+    end
+
+    context "when the old password is bad" do
+      let(:inputs) do
+        { user: user.id, old_password: "badpassword", new_password: }
+      end
+
+      it "gives the expected error" do
+        expect(outcome).to_not be_success
+        expect(outcome.errors_hash.keys).to include("runtime.incorrect_old_password")
+      end
+    end
+
+    context "when omitting the user" do
+      let(:inputs) do
+        { old_password:, new_password: }
+      end
+
+      it "gives the expected error" do
+        expect(outcome).to_not be_success
+        expect(outcome.errors_hash.keys).to include("runtime.user_not_given")
+      end
+    end
+  end
+
+  context "when giving everything" do
+    let(:inputs) do
+      { user: user.id, old_password:, new_password:, reset_password_token_secret: }
+    end
+
+    it "gives the expected error" do
+      expect(outcome).to_not be_success
+      expect(outcome.errors_hash.keys).to include("runtime.both_password_reset_token_and_old_password_given")
+    end
+  end
+
+  context "when only giving the user and new_password" do
+    let(:inputs) do
+      { user: user.id, new_password: }
+    end
+
+    it "gives the expected error" do
+      expect(outcome).to_not be_success
+      expect(outcome.errors_hash.keys).to include("runtime.no_password_reset_token_or_old_password_given")
+    end
+  end
+end

src/create_reset_password_token.rb

@@ -0,0 +1,45 @@
+require "securerandom"
+
+require_relative "create_token"
+
+module Foobara
+  module Auth
+    class CreateResetPasswordToken < Foobara::Command
+      depends_on CreateToken
+
+      inputs do
+        user Types::User, :required
+        token_ttl :integer, default: 5 * 60
+      end
+
+      result :string, :sensitive_exposed
+
+      def execute
+        determine_timestamps
+
+        generate_new_reset_password_token
+        save_new_reset_password_token_on_user
+
+        reset_password_token_secret
+      end
+
+      attr_accessor :expires_at, :reset_password_token_record, :reset_password_token_secret
+
+      def determine_timestamps
+        now = Time.now
+        self.expires_at = now + token_ttl
+      end
+
+      def generate_new_reset_password_token
+        result = run_subcommand!(CreateToken, expires_at:)
+
+        self.reset_password_token_record = result[:token_record]
+        self.reset_password_token_secret = result[:token_string]
+      end
+
+      def save_new_reset_password_token_on_user
+        user.reset_password_token = reset_password_token_record
+      end
+    end
+  end
+end