Fix/password reset bug (#811)

* fix query for finding user in reset_password route

* Add env file to api configuration

* Update certs on circleci

* Update config.yml

* Remove CircleCI

* Fix assert statement for token expiry

* Notify user if password reset token has expired

* Lint fixes

Co-authored-by: mrlarso <[email protected]>

.vscode/launch.json

@@ -27,7 +27,7 @@
       "request": "launch",
       "name": "API",
       "program": "${workspaceFolder}/server/index.js",
-      "runtimeVersion": "8.15.0",
+      "runtimeVersion": "14",
       "envFile": "${workspaceFolder}/.env"
     },
     {

frontend/app/components/authentication/password-reset.js

@@ -1,12 +1,16 @@
 import Component from '@glimmer/component';
 import { action } from '@ember/object';
 import { tracked } from '@glimmer/tracking';
+import { inject as service } from '@ember/service';
 import fetch from 'fetch';
 
 export default class PasswordResetComponent extends Component {
   token = this.args.token;
   email = this.args.email;
 
+  @service notify;
+  @service intl;
+
   @tracked isInvalid = false;
   @tracked showPasswordForm = true;
   @tracked error = { message: '' };
@@ -46,6 +50,18 @@ export default class PasswordResetComponent extends Component {
           ...this.error,
           message: 'Something went wrong. Please try again.',
         };
+        if (response.status === 400) {
+          // intl service not rendering html so we pass the string to html property of notify service
+          this.notify.info({
+            html: this.intl.t(
+              'auth.password_reset.password_reset_token_expired',
+              { htmlSafe: true }
+            ),
+            closeAfter: null,
+          });
+        }
+
+        this.loading = false;
       } else {
         this.showPasswordForm = false;
       }

frontend/translations/auth/en-us.yaml

@@ -31,4 +31,5 @@ password_reset:
   enter_email_prompt: Enter your email address and we'll send you a link to reset your password.
   email_sent_p1: We have sent an email to <strong>{email}</strong>. Click on the password reset link to set your new password.
   email_sent_p2: If you haven’t received an email please check your spam folder or
-  try_again: try again
+  try_again: try again
+  password_reset_token_expired: This password reset link is expired. Click '<'a href="/forgot_password"'>'here'</a>' to request a new link

frontend/translations/auth/sw-ke.yaml

@@ -31,4 +31,5 @@ password_reset:
   enter_email_prompt: Ingiza anwani yako ya barua pepe na tutakutumia kiunga cha kuweka tena nenosiri lako.
   email_sent_p1: Tumetuma barua pepe kwa <strong>{email}</strong>. Bonyeza kiungo cha kuweka upya nenosiri ili kuweka nenosiri lako mpya.
   email_sent_p2: Ikiwa haujapokea barua pepe tafadhali angalia folda yako ya barua taka au
-  try_again: jaribu tena
+  try_again: jaribu tena
+  password_reset_token_expired: This password reset link is expired. Click <a href="/forgot_password">here</a> to request a new link

server/routes/auth.js

@@ -168,14 +168,15 @@ router.post('/reset_password', checkIfPasswordAreSame, async ctx => {
   const auth = ctx.request.body.auth;
   const decodedMail = Buffer.from(auth.email, 'base64').toString('ascii');
 
-  const user = await User.query().where(
+  const user = await User.query().findOne(
     {
       reset_password_token: auth.token,
       email: decodedMail,
     }
   );
+  const tokenExpiryTime = Date.parse(user.resetPasswordExpires);
   ctx.assert(user, 404, 'Account not found');
-  ctx.assert(user.resetPasswordExpires > new Date(+new Date() + 0), 400, 'Reset password token has expired');
+  ctx.assert(tokenExpiryTime > Date.now(), 400, 'Reset password token has expired');
 
   try {
     const userData = await user.$query().patchAndFetch({ 'resetPasswordExpires': new Date(), 'hash': auth.hash });