Merge pull request #682 from dataswift/suppress-emails-for-password-reset

dataswifty · web-flow · commit ed490da6df00 · 2024-06-06T08:45:37.000-04:00
Suppress the email to the user for the final endpoint to allow for AP…
diff --git a/Dockerfile.copilot b/Dockerfile.copilot
@@ -0,0 +1,38 @@
+FROM adoptopenjdk/openjdk11:jdk-11.0.6_10-alpine
+
+ARG FILE_PATH
+ENV FILE_PATH=$FILE_PATH
+ARG STRING
+ENV STRING=$STRING
+ARG DELIMITER
+ENV DELIMITER=$DELIMITER
+ARG KEYWORD
+ENV KEYWORD=$KEYWORD
+
+ARG SBT_VERSION=1.3.10
+
+RUN set -x \
+  && apk --update add --no-cache --virtual .build-deps curl \
+  && ESUM="3060065764193651aa3fe860a17ff8ea9afc1e90a3f9570f0584f2d516c34380" \
+  && SBT_URL="https://github.com/sbt/sbt/releases/download/v1.3.10/sbt-1.3.10.tgz" \
+  && apk add bash \
+  && curl -Ls ${SBT_URL} > /tmp/sbt-${SBT_VERSION}.tgz \
+  && sha256sum /tmp/sbt-${SBT_VERSION}.tgz \
+  && (echo "${ESUM}  /tmp/sbt-${SBT_VERSION}.tgz" | sha256sum -c -) \
+  && tar -zxf /tmp/sbt-${SBT_VERSION}.tgz -C /opt/ \
+  && sed -i -r 's#run \"\$\@\"#unset JAVA_TOOL_OPTIONS\nrun \"\$\@\"#g' /opt/sbt/bin/sbt \
+  && apk del --purge .build-deps \
+  && rm -rf /tmp/sbt-${SBT_VERSION}.tgz /var/cache/apk/*
+
+
+ENV PATH="/opt/sbt/bin:$PATH" \
+    JAVA_OPTS="-XX:+UseContainerSupport -Dfile.encoding=UTF-8" \
+    SBT_OPTS="-Xmx2048M -Xss2M"
+
+WORKDIR /app
+ADD . /app
+
+RUN ["chmod", "-R", "777", "start.sh"]
+
+CMD ./start.sh
+
diff --git a/hat/app/org/hatdex/hat/api/controllers/Authentication.scala b/hat/app/org/hatdex/hat/api/controllers/Authentication.scala
@@ -308,18 +308,26 @@ class Authentication @Inject() (
     */
   
     // return token and not email, like the other endpoint
-  def handleForgotPassword: Action[ApiPasswordResetRequest] =
+  def handleForgotPassword(
+    sendEmailToUser: Option[Boolean]
+  ): Action[ApiPasswordResetRequest] =
     UserAwareAction.async(parsers.json[ApiPasswordResetRequest]) { implicit request =>
       implicit val language: Lang = Lang.defaultLang
+      implicit val sendEmail: Boolean = sendEmailToUser.getOrElse(true)
+      
       logger.debug("Processing forgotten password request")
+      
       val email = request.body.email
-      val response = Ok(
+      
+      // predefined response
+      var response = Ok(
         Json.toJson(
           SuccessResponse(
             "If the email you have entered is correct, you will shortly receive an email with password reset instructions"
           )
         )
       )
+      
       if (email == request.dynamicEnvironment.ownerEmail)
         // Find the specific user who is the owner.
         userService
@@ -330,11 +338,23 @@ class Authentication @Inject() (
               // Create a token for the reset with a 24 hour expiry
               // isSignUp is potentially the issue here.
               val token = MailTokenUser(email, isSignup = false)
+              
               // Store that token
-              tokenService.create(token).map { _ =>
-                mailer.passwordReset(email, passwordResetLink(request.host, token.id))
-                response
+              tokenService.create(token).map { _ => {
+                // This sends the user an email to the reset URL
+                // And a generic response
+                if (sendEmail) {
+                  mailer.passwordReset(email, passwordResetLink(request.host, token.id))
+                  response
+                }
+                
+                // Do not send an email, but return the token
+                else {
+                  response = Ok(Json.obj("tokenId" -> token.id))
+                  response
+                }
               }
+            }
             // The user was not found, but return the "If we found an email address, we'll send the link."
             case None => Future.successful(response)
           }
@@ -345,9 +365,13 @@ class Authentication @Inject() (
   /**
     * Saves the new password and authenticates the user
     */
-  def handleResetPassword(tokenId: String): Action[ApiPasswordChange] =
+  def handleResetPassword(
+      tokenId: String,
+    sendEmailToUser: Option[Boolean]): Action[ApiPasswordChange] =
     UserAwareAction.async(parsers.json[ApiPasswordChange]) { implicit request =>
       implicit val language: Lang = Lang.defaultLang
+      implicit val sendEmail: Boolean = sendEmailToUser.getOrElse(true)
+      
       tokenService.retrieve(tokenId).flatMap {
         // Token was found, is not signup nor expired
         case Some(token) if !token.isSignUp && !token.isExpired =>
@@ -381,7 +405,9 @@ class Authentication @Inject() (
                     // Push a loginEvent on the bus
                     env.eventBus.publish(LoginEvent(user, request))
                     // Mail the user, telling them the password changed
-                    mailer.passwordChanged(token.email)
+                    if (sendEmail) {
+                      mailer.passwordChanged(token.email)
+                    }
                     // ???: return an AuthenticatorResult, why
                     result
                   }
@@ -411,21 +437,14 @@ class Authentication @Inject() (
 
       val claimHatRequest = request.body
       val email           = request.dynamicEnvironment.ownerEmail
-      val response        = Ok(Json.toJson(SuccessResponse("You will shortly receive an email with claim instructions AAA")))
-
-      println(claimHatRequest.email == email)
-      println(email)
-      println(claimHatRequest)
+      val response        = Ok(Json.toJson(SuccessResponse("You will shortly receive an email with claim instructions")))
 
       if (claimHatRequest.email == email)
         userService
           .listUsers()
           .map(_.find(u => (u.roles.contains(Owner()) && !(u.roles.contains(Verified("email"))))))
           .flatMap {
-            case Some(user) => {
-
-              println(s"found user ${user.email}")
-              
+            case Some(user) => {              
               val eventualClaimContext = for {
                 maybeApplication <- applicationsService
                                       .applicationStatus()(request.dynamicEnvironment, user, request)
@@ -481,7 +500,6 @@ class Authentication @Inject() (
                 }
               }
             case None => {
-              println(s"found user ${response}")
               Future.successful(response)
             }
           }
diff --git a/hat/app/org/hatdex/hat/phata/models/HatClaims.scala b/hat/app/org/hatdex/hat/phata/models/HatClaims.scala
@@ -30,8 +30,8 @@ case class ApiVerificationRequest(
     applicationId: String,
     email: String,
     redirectUri: String) {
-  // override def toString: String =
-  //   s"ApiVerificationRequest(applicationId: $applicationId, email:REDACTED, redirectUri: $redirectUri)"
+  override def toString: String =
+    s"ApiVerificationRequest(applicationId: $applicationId, email:REDACTED, redirectUri: $redirectUri)"
 }
 
 object ApiVerificationRequest {
diff --git a/hat/conf/routes b/hat/conf/routes
@@ -21,8 +21,8 @@ GET         /healthz                                             org.hatdex.hat.
 # AUTHENTICATION routes
 GET         /control/v2/auth/hatlogin                            org.hatdex.hat.api.controllers.Authentication.hatLogin(name: String, redirect: String)
 POST        /control/v2/auth/password                            org.hatdex.hat.api.controllers.Authentication.passwordChangeProcess
-POST        /control/v2/auth/passwordReset                       org.hatdex.hat.api.controllers.Authentication.handleForgotPassword
-POST        /control/v2/auth/passwordreset/confirm/:token        org.hatdex.hat.api.controllers.Authentication.handleResetPassword(token: String)
+POST        /control/v2/auth/passwordReset                       org.hatdex.hat.api.controllers.Authentication.handleForgotPassword(sendEmailToUser: Option[Boolean])
+POST        /control/v2/auth/passwordreset/confirm/:token        org.hatdex.hat.api.controllers.Authentication.handleResetPassword(token: String, sendEmailToUser: Option[Boolean])
 POST        /control/v2/auth/claim                               org.hatdex.hat.api.controllers.Authentication.handleVerificationRequest(lang: Option[String], sendEmailToUser: Option[Boolean])
 POST        /control/v2/auth/request-verification                org.hatdex.hat.api.controllers.Authentication.handleVerificationRequest(lang: Option[String], sendEmailToUser: Option[Boolean])
 POST        /control/v2/auth/claim/complete/:verificationToken   org.hatdex.hat.api.controllers.Authentication.handleVerification(verificationToken: String)
diff --git a/hat/test/org/hatdex/hat/api/controllers/AuthenticationSpec.scala b/hat/test/org/hatdex/hat/api/controllers/AuthenticationSpec.scala
@@ -213,7 +213,7 @@ class AuthenticationSpec extends AuthenticationContext {
       .withJsonBody(Json.toJson(passwordForgottenIncorrect))
 
     val controller             = application.injector.instanceOf[Authentication]
-    val result: Future[Result] = Helpers.call(controller.handleForgotPassword, request)
+    val result: Future[Result] = Helpers.call(controller.handleForgotPassword(Some(true)), request)
 
     status(result) must equal(OK)
   }
@@ -225,7 +225,7 @@ class AuthenticationSpec extends AuthenticationContext {
       .withJsonBody(Json.toJson(passwordForgottenOwner))
 
     val controller             = application.injector.instanceOf[Authentication]
-    val result: Future[Result] = Helpers.call(controller.handleForgotPassword, request)
+    val result: Future[Result] = Helpers.call(controller.handleForgotPassword(Some(true)), request)
 
     status(result) must equal(OK)
   }
@@ -236,7 +236,7 @@ class AuthenticationSpec extends AuthenticationContext {
       .withJsonBody(Json.toJson(passwordResetStrong))
 
     val controller             = application.injector.instanceOf[Authentication]
-    val result: Future[Result] = Helpers.call(controller.handleResetPassword("nosuchtoken"), request)
+    val result: Future[Result] = Helpers.call(controller.handleResetPassword("nosuchtoken", (Some(true))), request)
 
     status(result) must equal(UNAUTHORIZED)
     (contentAsJson(result) \ "cause").as[String] must equal("Token does not exist")
@@ -253,7 +253,7 @@ class AuthenticationSpec extends AuthenticationContext {
 
     val result: Future[Result] = for {
       _ <- tokenService.create(MailTokenUser(tokenId, "hat@hat.org", DateTime.now().minusHours(1), isSignUp = false))
-      result <- Helpers.call(controller.handleResetPassword(tokenId), request)
+      result <- Helpers.call(controller.handleResetPassword(tokenId, (Some(true))), request)
     } yield result
 
     status(result) must equal(UNAUTHORIZED)
@@ -271,7 +271,7 @@ class AuthenticationSpec extends AuthenticationContext {
 
     val result: Future[Result] = for {
       _ <- tokenService.create(MailTokenUser(tokenId, "email@hat.org", DateTime.now().plusHours(1), isSignUp = false))
-      result <- Helpers.call(controller.handleResetPassword(tokenId), request)
+      result <- Helpers.call(controller.handleResetPassword(tokenId, (Some(true))), request)
     } yield result
 
     status(result) must equal(UNAUTHORIZED)
@@ -289,7 +289,7 @@ class AuthenticationSpec extends AuthenticationContext {
     val tokenId      = UUID.randomUUID().toString
     val result: Future[Result] = for {
       _ <- tokenService.create(MailTokenUser(tokenId, "user@hat.org", DateTime.now().plusHours(1), isSignUp = false))
-      result <- Helpers.call(controller.handleResetPassword(tokenId), request)
+      result <- Helpers.call(controller.handleResetPassword(tokenId, (Some(true))), request)
     } yield result
 
     status(result) must equal(OK)
@@ -310,7 +310,7 @@ class AuthenticationSpec extends AuthenticationContext {
       _ <- userService.saveUser(
              owner.copy(roles = Seq(DataDebitOwner("")))
            ) // forcing owner user to a different role for the test
-      result <- Helpers.call(controller.handleResetPassword(tokenId), request)
+      result <- Helpers.call(controller.handleResetPassword(tokenId, (Some(true))), request)
     } yield result
 
     status(result) must equal(UNAUTHORIZED)
@@ -323,7 +323,7 @@ class AuthenticationSpec extends AuthenticationContext {
       .withJsonBody(Json.toJson(apiVerificationRequestMatching))
 
     val controller             = application.injector.instanceOf[Authentication]
-    val result: Future[Result] = Helpers.call(controller.handleVerificationRequest(None), request)
+    val result: Future[Result] = Helpers.call(controller.handleVerificationRequest(None, (Some(true))), request)
 
     status(result) must equal(OK)
   }
@@ -334,7 +334,7 @@ class AuthenticationSpec extends AuthenticationContext {
       .withJsonBody(Json.toJson(apiVerificationRequestNotMatching))
 
     val controller             = application.injector.instanceOf[Authentication]
-    val result: Future[Result] = Helpers.call(controller.handleVerificationRequest(None), request)
+    val result: Future[Result] = Helpers.call(controller.handleVerificationRequest(None, (Some(true))), request)
 
     status(result) must equal(OK)
   }
diff --git a/hat/test/org/hatdex/hat/utils/TrustProxyUtils.scala b/hat/test/org/hatdex/hat/utils/TrustProxyUtils.scala
diff --git a/start.sh b/start.sh
