Skip to content

Commit

Permalink
Merge pull request #228 from Police-Data-Accessibility-Project/improv…
Browse files Browse the repository at this point in the history 
…ed_password_reset

Improved password reset
  • Loading branch information
@josh-chamberlain
josh-chamberlain committed Mar 25, 2024
2 parents 8b04500 + e6bdf01 commit 1b43305
Show file tree
Hide file tree
Showing 9 changed files with 152 additions and 9 deletions.
6 changes: 6 additions & 0 deletions app.py
View file
Expand Up @@ -7,6 +7,7 @@
from resources.ApiKey import ApiKey
from resources.RequestResetPassword import RequestResetPassword
from resources.ResetPassword import ResetPassword
from resources.ResetTokenValidation import ResetTokenValidation
from resources.QuickSearch import QuickSearch
from resources.DataSources import (
DataSources,
Expand Down Expand Up @@ -50,6 +51,11 @@
"/reset-password",
resource_class_kwargs={"psycopg2_connection": psycopg2_connection},
)
api.add_resource(
ResetTokenValidation,
"/reset-token-validation",
resource_class_kwargs={"psycopg2_connection": psycopg2_connection},
)
api.add_resource(
QuickSearch,
"/quick-search/<search>/<location>",
Expand Down
26 changes: 24 additions & 2 deletions client/src/pages/ResetPassword.vue
View file
Expand Up @@ -15,8 +15,11 @@
class="pdap-flex-container mx-auto max-w-2xl"
>
<h1>Change your password</h1>
<p v-if="!hasValidatedToken" class="flex flex-col items-start sm:gap-4">
Loading...
</p>
<p
v-if="isExpiredToken"
v-else-if="hasValidatedToken && isExpiredToken"
data-test="token-expired"
class="flex flex-col items-start sm:gap-4"
>
Expand Down Expand Up @@ -72,7 +75,7 @@
<script setup>
import { Button, Form } from 'pdap-design-system';
import { useUserStore } from '../stores/user';
import { ref, watchEffect } from 'vue';
import { onMounted, ref, watchEffect } from 'vue';
import { RouterLink, useRoute } from 'vue-router';
// Constants
Expand Down Expand Up @@ -137,6 +140,7 @@ const user = useUserStore();
// Reactive vars
const error = ref(undefined);
const isExpiredToken = ref(false);
const hasValidatedToken = ref(false);
const loading = ref(false);
const success = ref(false);
Expand All @@ -147,7 +151,25 @@ watchEffect(() => {
});
// Functions
// Lifecycle methods
onMounted(validateToken);
// Handlers
async function validateToken() {
if (!token) return;
try {
const response = await user.validateResetPasswordToken(token);
if (300 < response.status >= 200) {
isExpiredToken.value = false;
}
} catch (error) {
isExpiredToken.value = true;
} finally {
hasValidatedToken.value = true;
}
}
/**
* Handles clearing pw-match form errors on change if they exist
*/
Expand Down
8 changes: 8 additions & 0 deletions client/src/pages/__tests__/__snapshots__/resetPassword.test.js.snap
View file
Expand Up @@ -46,6 +46,14 @@ exports[`Reset password page > With token (reset password) > With token, reset p
</main>
`;
exports[`Reset password page > With token (reset password) > With token, reset password > Handles API error with invalid token 1`] = `
<main class="pdap-flex-container mx-auto max-w-2xl">
<h1>Change your password</h1>
<p class="flex flex-col items-start sm:gap-4"> Sorry, that token has expired. <a> Click here to request another </a>
</p>
</main>
`;
exports[`Reset password page > With token (reset password) > With token, reset password > Renders error message with mismatched passwords when trying to sign up and re-validates form 1`] = `
<main class="pdap-flex-container mx-auto max-w-2xl">
<h1>Change your password</h1>
Expand Down
54 changes: 52 additions & 2 deletions client/src/pages/__tests__/resetPassword.test.js
View file
@@ -1,5 +1,13 @@
import { RouterLinkStub, flushPromises, mount } from '@vue/test-utils';
import { describe, expect, beforeEach, it, vi, beforeAll } from 'vitest';
import {
describe,
expect,
beforeEach,
it,
vi,
beforeAll,
afterEach,
} from 'vitest';
import { nextTick } from 'vue';
import { createTestingPinia } from '@pinia/testing';
import { useUserStore } from '../../stores/user';
Expand Down Expand Up @@ -33,6 +41,10 @@ describe('Reset password page', () => {
user = useUserStore();
});

afterEach(() => {
user = undefined;
});

describe('No token (request PW reset)', () => {
beforeAll(() => {
useRoute.mockImplementation(() => ({
Expand Down Expand Up @@ -139,7 +151,12 @@ describe('Reset password page', () => {
let confirmPassword;
let form;

beforeEach(() => {
beforeEach(async () => {
// Setting the token stuff manually, as we're asserting against UI in this suite
wrapper.vm.isExpiredToken = false;
wrapper.vm.hasValidatedToken = true;
await nextTick();

password = wrapper.find('[data-test="password"] input');
confirmPassword = wrapper.find('[data-test="confirm-password"] input');
form = wrapper.find('[data-test="reset-password-form"]');
Expand Down Expand Up @@ -191,6 +208,39 @@ describe('Reset password page', () => {

expect(expired.exists()).toBe(true);
expect(reRequest.exists()).toBe(true);

expect(wrapper.html()).toMatchSnapshot();
});
});

describe('With token - token validation', () => {
// Skipping because this isn't working for some reason... TODO: look into fixing
it.skip('Accepts valid token API response and renders appropriate UI', async () => {
vi.mocked(user.validateResetPasswordToken).mockResolvedValueOnce({
data: { message: 'Token is valid' },
});

await wrapper.vm.validateToken();
await flushPromises();

console.log({ markup: wrapper.html() });
expect(wrapper.find('[data-test="reset-password-form"]').exists()).toBe(
true,
);
});

it('Accepts invalid token API response and renders appropriate UI', async () => {
vi.mocked(user.validateResetPasswordToken).mockRejectedValueOnce(
new Error({
data: { message: 'Token is expired' },
status: 400,
}),
);

await wrapper.vm.validateToken();
await flushPromises();

expect(wrapper.find('[data-test="token-expired"]').exists()).toBe(true);
});
});
});
Expand Down
13 changes: 11 additions & 2 deletions client/src/stores/user.js
View file
Expand Up @@ -9,6 +9,7 @@ const SIGNUP_URL = `${import.meta.env.VITE_VUE_API_BASE_URL}/user`;
const CHANGE_PASSWORD_URL = `${import.meta.env.VITE_VUE_API_BASE_URL}/user`;
const REQUEST_PASSWORD_RESET_URL = `${import.meta.env.VITE_VUE_API_BASE_URL}/request-reset-password`;
const PASSWORD_RESET_URL = `${import.meta.env.VITE_VUE_API_BASE_URL}/reset-password`;
const VALIDATE_PASSWORD_RESET_TOKEN_URL = `${import.meta.env.VITE_VUE_API_BASE_URL}/reset-token-validation`;

export const useUserStore = defineStore('user', {
state: () => ({
Expand Down Expand Up @@ -42,11 +43,19 @@ export const useUserStore = defineStore('user', {
},

async requestPasswordReset(email) {
await axios.post(REQUEST_PASSWORD_RESET_URL, { email }, HEADERS);
return await axios.post(REQUEST_PASSWORD_RESET_URL, { email }, HEADERS);
},

async resetPassword(password, token) {
await axios.post(`${PASSWORD_RESET_URL}`, { password, token }, HEADERS);
return await axios.post(PASSWORD_RESET_URL, { password, token }, HEADERS);
},

async validateResetPasswordToken(token) {
return await axios.post(
VALIDATE_PASSWORD_RESET_TOKEN_URL,
{ token },
HEADERS,
);
},
},
});
16 changes: 16 additions & 0 deletions regular_api_checks.py
View file
Expand Up @@ -200,6 +200,22 @@ def test_request_reset_password():
return response.json()["message"] == "Successfully updated password"


def test_reset_token_validation():
reset_token = requests.post(
f"{BASE_URL}/request-reset-password",
headers=HEADERS,
json={"email": "test2"},
)

response = requests.post(
f"{BASE_URL}/reset-token-validation",
headers=HEADERS,
json={"token": reset_token.json()["token"], "password": "test"},
)

return response.json()["message"] == "Token is valid"


# api-key
def test_get_api_key():
response = requests.get(
Expand Down
2 changes: 1 addition & 1 deletion resources/RequestResetPassword.py
View file
Expand Up @@ -36,7 +36,7 @@ def post(self):
)

return {
"message": "An email has been sent to your email address with a link to reset your password.",
"message": "An email has been sent to your email address with a link to reset your password. It will be valid for 15 minutes.",
"token": token,
}

Expand Down
3 changes: 1 addition & 2 deletions resources/ResetPassword.py
View file
Expand Up @@ -3,7 +3,6 @@
from flask import request
from middleware.reset_token_queries import (
check_reset_token,
add_reset_token,
delete_reset_token,
)
from datetime import datetime as dt
Expand All @@ -25,7 +24,7 @@ def post(self):
return {"message": "The submitted token is invalid"}, 400

token_create_date = token_data["create_date"]
token_expired = (dt.utcnow() - token_create_date).total_seconds() > 300
token_expired = (dt.utcnow() - token_create_date).total_seconds() > 900
delete_reset_token(cursor, token_data["email"], token)
if token_expired:
return {"message": "The submitted token is invalid"}, 400
Expand Down
33 changes: 33 additions & 0 deletions resources/ResetTokenValidation.py
View file
@@ -0,0 +1,33 @@
from flask_restful import Resource
from flask import request
from middleware.reset_token_queries import (
check_reset_token,
)
from datetime import datetime as dt


class ResetTokenValidation(Resource):
def __init__(self, **kwargs):
self.psycopg2_connection = kwargs["psycopg2_connection"]

def post(self):
try:
data = request.get_json()
token = data.get("token")
cursor = self.psycopg2_connection.cursor()
token_data = check_reset_token(cursor, token)
if "create_date" not in token_data:
return {"message": "The submitted token is invalid"}, 400

token_create_date = token_data["create_date"]
token_expired = (dt.utcnow() - token_create_date).total_seconds() > 900

if token_expired:
return {"message": "The submitted token is invalid"}, 400

return {"message": "Token is valid"}

except Exception as e:
self.psycopg2_connection.rollback()
print(str(e))
return {"message": str(e)}, 500

0 comments on commit 1b43305

Please sign in to comment.