Merge pull request #2069 from automatisch/rest-update-password

feat: Implement rest API endpoint to update current user password

packages/backend/src/controllers/api/v1/users/update-current-user-password.js

@@ -0,0 +1,12 @@
+import { renderObject } from '../../../../helpers/renderer.js';
+
+export default async (request, response) => {
+  const user = await request.currentUser.updatePassword(userParams(request));
+
+  renderObject(response, user);
+};
+
+const userParams = (request) => {
+  const { currentPassword, password } = request.body;
+  return { currentPassword, password };
+};

packages/backend/src/controllers/api/v1/users/update-current-user-password.test.js

@@ -0,0 +1,51 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import request from 'supertest';
+import app from '../../../../app.js';
+import createAuthTokenByUserId from '../../../../helpers/create-auth-token-by-user-id.js';
+import { createUser } from '../../../../../test/factories/user.js';
+import updateCurrentUserPasswordMock from '../../../../../test/mocks/rest/api/v1/users/update-current-user-password.js';
+
+describe('PATCH /api/v1/users/:userId/password', () => {
+  let currentUser, token;
+
+  beforeEach(async () => {
+    currentUser = await createUser({ password: 'old-password' });
+    token = await createAuthTokenByUserId(currentUser.id);
+  });
+
+  it('should return updated user with valid password', async () => {
+    const userData = {
+      currentPassword: 'old-password',
+      password: 'new-password',
+    };
+
+    const response = await request(app)
+      .patch(`/api/v1/users/${currentUser.id}/password`)
+      .set('Authorization', token)
+      .send(userData)
+      .expect(200);
+
+    const refetchedCurrentUser = await currentUser.$query();
+    const expectedPayload = updateCurrentUserPasswordMock(refetchedCurrentUser);
+
+    expect(response.body).toStrictEqual(expectedPayload);
+  });
+
+  it('should return HTTP 422 with invalid current password', async () => {
+    const userData = {
+      currentPassword: '',
+      password: 'new-password',
+    };
+
+    const response = await request(app)
+      .patch(`/api/v1/users/${currentUser.id}/password`)
+      .set('Authorization', token)
+      .send(userData)
+      .expect(422);
+
+    expect(response.body.meta.type).toEqual('ValidationError');
+    expect(response.body.errors).toMatchObject({
+      currentPassword: ['is incorrect.'],
+    });
+  });
+});

packages/backend/src/graphql/mutation-resolvers.js

@@ -6,7 +6,6 @@ import generateAuthUrl from './mutations/generate-auth-url.js';
 import registerUser from './mutations/register-user.ee.js';
 import resetConnection from './mutations/reset-connection.js';
 import updateConnection from './mutations/update-connection.js';
-import updateCurrentUser from './mutations/update-current-user.js';
 import updateFlowStatus from './mutations/update-flow-status.js';
 import updateStep from './mutations/update-step.js';
 
@@ -17,6 +16,7 @@ import deleteStep from './mutations/delete-step.js';
 import verifyConnection from './mutations/verify-connection.js';
 import createFlow from './mutations/create-flow.js';
 import deleteCurrentUser from './mutations/delete-current-user.ee.js';
+import updateCurrentUser from './mutations/update-current-user.js';
 
 const mutationResolvers = {
   createConnection,

packages/backend/src/models/user.js

@@ -1,6 +1,7 @@
 import bcrypt from 'bcrypt';
 import { DateTime, Duration } from 'luxon';
 import crypto from 'node:crypto';
+import { ValidationError } from 'objection';
 
 import appConfig from '../config/app.js';
 import { hasValidLicense } from '../helpers/license.ee.js';
@@ -42,7 +43,7 @@ class User extends Base {
       id: { type: 'string', format: 'uuid' },
       fullName: { type: 'string', minLength: 1 },
       email: { type: 'string', format: 'email', minLength: 1, maxLength: 255 },
-      password: { type: 'string' },
+      password: { type: 'string', minLength: 6 },
       status: {
         type: 'string',
         enum: ['active', 'invited'],
@@ -249,6 +250,27 @@ class User extends Base {
     });
   }
 
+  async updatePassword({ currentPassword, password }) {
+    if (await User.authenticate(this.email, currentPassword)) {
+      const user = await this.$query().patchAndFetch({
+        password,
+      });
+
+      return user;
+    }
+
+    throw new ValidationError({
+      data: {
+        currentPassword: [
+          {
+            message: 'is incorrect.',
+          },
+        ],
+      },
+      type: 'ValidationError',
+    });
+  }
+
   async softRemove() {
     await this.softRemoveAssociations();
     await this.$query().delete();

packages/backend/src/routes/api/v1/users.js

@@ -4,6 +4,7 @@ import { authorizeUser } from '../../../helpers/authorization.js';
 import checkIsCloud from '../../../helpers/check-is-cloud.js';
 import getCurrentUserAction from '../../../controllers/api/v1/users/get-current-user.js';
 import updateCurrentUserAction from '../../../controllers/api/v1/users/update-current-user.js';
+import updateCurrentUserPasswordAction from '../../../controllers/api/v1/users/update-current-user-password.js';
 import deleteCurrentUserAction from '../../../controllers/api/v1/users/delete-current-user.js';
 import getUserTrialAction from '../../../controllers/api/v1/users/get-user-trial.ee.js';
 import getAppsAction from '../../../controllers/api/v1/users/get-apps.js';
@@ -18,6 +19,13 @@ const router = Router();
 
 router.get('/me', authenticateUser, getCurrentUserAction);
 router.patch('/:userId', authenticateUser, updateCurrentUserAction);
+
+router.patch(
+  '/:userId/password',
+  authenticateUser,
+  updateCurrentUserPasswordAction
+);
+
 router.get('/:userId/apps', authenticateUser, authorizeUser, getAppsAction);
 router.get('/invoices', authenticateUser, checkIsCloud, getInvoicesAction);
 router.delete('/:userId', authenticateUser, deleteCurrentUserAction);

packages/backend/test/mocks/rest/api/v1/users/update-current-user-password.js

@@ -0,0 +1,22 @@
+const updateCurrentUserPasswordMock = (currentUser) => {
+  return {
+    data: {
+      createdAt: currentUser.createdAt.getTime(),
+      email: currentUser.email,
+      fullName: currentUser.fullName,
+      id: currentUser.id,
+      status: currentUser.status,
+      updatedAt: currentUser.updatedAt.getTime(),
+      trialExpiryDate: currentUser.trialExpiryDate?.toISOString(),
+    },
+    meta: {
+      count: 1,
+      currentPage: null,
+      isArray: false,
+      totalPages: null,
+      type: 'User',
+    },
+  };
+};
+
+export default updateCurrentUserPasswordMock;