Merge pull request #187 from hackmcgill/feature/change-password

Feature/change password

Author: pierreTklein

constants/role.constant.js

@@ -11,6 +11,7 @@ const accountRole = {
     "routes": [
         Constants.Routes.authRoutes.login,
         Constants.Routes.authRoutes.logout,
+        Constants.Routes.authRoutes.changePassword,
         Constants.Routes.authRoutes.getSelfRoleBindindings,
         Constants.Routes.accountRoutes.getSelf,
         Constants.Routes.accountRoutes.getSelfById,

constants/routes.constant.js

@@ -21,7 +21,11 @@ const authRoutes = {
     "getAnyRoleBindings": {
         requestType: Constants.REQUEST_TYPES.GET,
         uri: "/api/auth/rolebindings/" + Constants.ROLE_CATEGORIES.ALL
-    }
+    },
+    "changePassword": {
+        requestType: Constants.REQUEST_TYPES.PATCH,
+        uri: "/api/auth/password/change"
+    },
 };
 
 const accountRoutes = {

docs/api/api_data.js

@@ -447,6 +447,70 @@ define({
         "url": "https://api.mchacks.ca/api/account/:id"
       }]
     },
+    {
+      "type": "patch",
+      "url": "/auth/password/change",
+      "title": "change password for logged in user",
+      "name": "changePassword",
+      "group": "Authentication",
+      "version": "0.0.8",
+      "parameter": {
+        "fields": {
+          "Parameter": [{
+              "group": "Parameter",
+              "type": "String",
+              "optional": false,
+              "field": "oldPassword",
+              "description": "<p>The current password of the user</p>"
+            },
+            {
+              "group": "Parameter",
+              "type": "String",
+              "optional": false,
+              "field": "newPassword",
+              "description": "<p>The new password of the user</p>"
+            }
+          ]
+        },
+        "examples": [{
+          "title": "Request-Example:",
+          "content": "{ \n    \"oldPassword\": \"password12345\",\n    \"newPassword\": \"password123456\"\n}",
+          "type": "json"
+        }]
+      },
+      "success": {
+        "fields": {
+          "Success 200": [{
+              "group": "Success 200",
+              "type": "string",
+              "optional": false,
+              "field": "message",
+              "description": "<p>Success message</p>"
+            },
+            {
+              "group": "Success 200",
+              "type": "object",
+              "optional": false,
+              "field": "data",
+              "description": "<p>empty</p>"
+            }
+          ]
+        },
+        "examples": [{
+          "title": "Success-Response: ",
+          "content": "{\"message\": \"Successfully reset password\", \"data\": {}}",
+          "type": "json"
+        }]
+      },
+      "permission": [{
+        "name": ": Must be logged in"
+      }],
+      "filename": "routes/api/auth.js",
+      "groupTitle": "Authentication",
+      "sampleRequest": [{
+        "url": "https://api.mchacks.ca/api/auth/password/change"
+      }]
+    },
     {
       "type": "post",
       "url": "/auth/confirm/:token",

docs/api/api_data.json

@@ -446,6 +446,70 @@
       "url": "https://api.mchacks.ca/api/account/:id"
     }]
   },
+  {
+    "type": "patch",
+    "url": "/auth/password/change",
+    "title": "change password for logged in user",
+    "name": "changePassword",
+    "group": "Authentication",
+    "version": "0.0.8",
+    "parameter": {
+      "fields": {
+        "Parameter": [{
+            "group": "Parameter",
+            "type": "String",
+            "optional": false,
+            "field": "oldPassword",
+            "description": "<p>The current password of the user</p>"
+          },
+          {
+            "group": "Parameter",
+            "type": "String",
+            "optional": false,
+            "field": "newPassword",
+            "description": "<p>The new password of the user</p>"
+          }
+        ]
+      },
+      "examples": [{
+        "title": "Request-Example:",
+        "content": "{ \n    \"oldPassword\": \"password12345\",\n    \"newPassword\": \"password123456\"\n}",
+        "type": "json"
+      }]
+    },
+    "success": {
+      "fields": {
+        "Success 200": [{
+            "group": "Success 200",
+            "type": "string",
+            "optional": false,
+            "field": "message",
+            "description": "<p>Success message</p>"
+          },
+          {
+            "group": "Success 200",
+            "type": "object",
+            "optional": false,
+            "field": "data",
+            "description": "<p>empty</p>"
+          }
+        ]
+      },
+      "examples": [{
+        "title": "Success-Response: ",
+        "content": "{\"message\": \"Successfully reset password\", \"data\": {}}",
+        "type": "json"
+      }]
+    },
+    "permission": [{
+      "name": ": Must be logged in"
+    }],
+    "filename": "routes/api/auth.js",
+    "groupTitle": "Authentication",
+    "sampleRequest": [{
+      "url": "https://api.mchacks.ca/api/auth/password/change"
+    }]
+  },
   {
     "type": "post",
     "url": "/auth/confirm/:token",

docs/api/api_project.js

@@ -9,7 +9,7 @@ define({
   "apidoc": "0.3.0",
   "generator": {
     "name": "apidoc",
-    "time": "2018-12-01T22:43:17.010Z",
+    "time": "2018-12-03T02:22:00.260Z",
     "url": "http://apidocjs.com",
     "version": "0.17.6"
   }

docs/api/api_project.json

@@ -9,7 +9,7 @@
   "apidoc": "0.3.0",
   "generator": {
     "name": "apidoc",
-    "time": "2018-12-01T22:43:17.010Z",
+    "time": "2018-12-03T02:22:00.260Z",
     "url": "http://apidocjs.com",
     "version": "0.17.6"
   }

middlewares/auth.middleware.js

@@ -126,6 +126,27 @@ async function retrieveRoleBindings(req, res, next) {
     return next();
 }
 
+/**
+ * Checks that the oldPassword is the current password for the logged in user. If the password is correct,
+ * then updates the password to the string in newPassword.
+ * @param {{user: {email: string}, body: {oldPassword: string, newPassword: string}} req 
+ * @param {*} res 
+ * @param {*} next 
+ */
+async function changePassword(req, res, next) {
+    const acc = await Services.Account.getAccountIfValid(req.user.email, req.body.oldPassword);
+    // user's old password is correct
+    if (!!acc) {
+        req.body.account = await Services.Account.updatePassword(req.user.id, req.body.newPassword);
+        return next();
+    } else {
+        return next({
+            status: 401,
+            message: Constants.Error.AUTH_401_MESSAGE,
+        });
+    }
+}
+
 /**
  * Middleware that sends an email to reset the password for the inputted email address.
  * @param {{body: {email:String}}} req the request object
@@ -432,5 +453,6 @@ module.exports = {
     addCreationRoleBindings: Middleware.Util.asyncMiddleware(addCreationRoleBindings),
     resendConfirmAccountEmail: Middleware.Util.asyncMiddleware(resendConfirmAccountEmail),
     retrieveRoleBindings: Middleware.Util.asyncMiddleware(retrieveRoleBindings),
-    retrieveRoles: Middleware.Util.asyncMiddleware(retrieveRoles)
+    retrieveRoles: Middleware.Util.asyncMiddleware(retrieveRoles),
+    changePassword: Middleware.Util.asyncMiddleware(changePassword),
 };

middlewares/validators/auth.validator.js

@@ -5,12 +5,16 @@ module.exports = {
     ForgotPasswordValidator: [
         VALIDATOR.emailValidator("body", "email", false)
     ],
+    ChangePasswordValidator: [
+        VALIDATOR.passwordValidator("body", "oldPassword", false),
+        VALIDATOR.passwordValidator("body", "newPassword", false)
+    ],
     ResetPasswordValidator: [
-        VALIDATOR.passwordValidator("body","password", false),
+        VALIDATOR.passwordValidator("body", "password", false),
         //The json web token is provided via the header with param "Authentication".
-        VALIDATOR.jwtValidator("header","X-Reset-Token", process.env.JWT_RESET_PWD_SECRET, false)
+        VALIDATOR.jwtValidator("header", "X-Reset-Token", process.env.JWT_RESET_PWD_SECRET, false)
     ],
     accountConfirmationValidator: [
-        VALIDATOR.jwtValidator("param","token", process.env.JWT_CONFIRM_ACC_SECRET, false)
+        VALIDATOR.jwtValidator("param", "token", process.env.JWT_CONFIRM_ACC_SECRET, false)
     ]
-};
+};

routes/api/auth.js

@@ -97,6 +97,38 @@ module.exports = {
             Controllers.Auth.sentResetEmail
         );
 
+        /**
+         * @api {patch} /auth/password/change change password for logged in user
+         * @apiName changePassword
+         * @apiGroup Authentication
+         * @apiVersion 0.0.8
+         * 
+         * @apiParam {String} oldPassword The current password of the user
+         * @apiParam {String} newPassword The new password of the user
+         * 
+         * @apiParamExample {json} Request-Example:
+         *      { 
+         *          "oldPassword": "password12345",
+         *          "newPassword": "password123456"
+         *      }
+         * 
+         * @apiSuccess {string} message Success message
+         * @apiSuccess {object} data empty
+         * @apiSuccessExample {json} Success-Response: 
+         *      {"message": "Successfully reset password", "data": {}}
+         * 
+         * @apiPermission: Must be logged in
+         */
+        authRouter.route("/password/change").patch(
+            Middleware.Auth.ensureAuthenticated(),
+            Middleware.Auth.ensureAuthorized(),
+            Middleware.Validator.Auth.ChangePasswordValidator,
+            Middleware.parseBody.middleware,
+
+            Middleware.Auth.changePassword,
+            Controllers.Auth.resetPassword,
+        );
+
         //untested
         /**
          * @api {post} /auth/password/reset reset password

tests/account.test.js

@@ -359,6 +359,71 @@ describe("POST reset password", function () {
     });
 });
 
+describe("PATCH change password for logged in user", function () {
+    const successChangePassword = {
+        "oldPassword": Admin1.password,
+        "newPassword": "password12345"
+    };
+    const failChangePassword = {
+        "oldPassword": "WrongPassword",
+        "newPassword": "password12345"
+    };
+    // fail on authentication
+    it("should fail to change the user's password because they are not logged in", function (done) {
+        chai.request(server.app)
+            .patch("/api/auth/password/change")
+            .type("application/json")
+            .send(failChangePassword)
+            .end(function (err, res) {
+                res.should.have.status(401);
+                res.should.be.json;
+                res.body.should.have.property("message");
+                res.body.message.should.equal(Constants.Error.AUTH_401_MESSAGE);
+                done();
+            });
+    });
+    // success case
+    it("should change the logged in user's password to a new password", function (done) {
+        util.auth.login(agent, Admin1, (error) => {
+            if (error) {
+                agent.close();
+                return done(error);
+            }
+            agent
+                .patch("/api/auth/password/change")
+                .type("application/json")
+                .send(successChangePassword)
+                .end(function (err, res) {
+                    res.should.have.status(200);
+                    res.should.be.json;
+                    res.body.should.have.property("message");
+                    res.body.message.should.equal("Successfully reset password");
+                    done();
+                });
+        });
+    });
+    // fail case because old password in incorrect
+    it("should fail to change the logged in user's password to a new password because old password is incorrect", function (done) {
+        util.auth.login(agent, Admin1, (error) => {
+            if (error) {
+                agent.close();
+                return done(error);
+            }
+            agent
+                .patch("/api/auth/password/change")
+                .type("application/json")
+                .send(failChangePassword)
+                .end(function (err, res) {
+                    res.should.have.status(401);
+                    res.should.be.json;
+                    res.body.should.have.property("message");
+                    res.body.message.should.equal(Constants.Error.AUTH_401_MESSAGE);
+                    done();
+                });
+        });
+    });
+});
+
 describe("GET retrieve permissions", function () {
     it("should SUCCEED and retrieve the rolebindings for the user", function (done) {
         util.auth.login(agent, storedAccount1, (error) => {