cal.pub0.org/apps/web/pages/api/auth/forgot-password.ts

import type { ResetPasswordRequest } from "@prisma/client";
import type { NextApiRequest, NextApiResponse } from "next";
import { z } from "zod";

import dayjs from "@calcom/dayjs";
import { sendPasswordResetEmail } from "@calcom/emails";
import { PASSWORD_RESET_EXPIRY_HOURS } from "@calcom/emails/templates/forgot-password-email";
import { checkRateLimitAndThrowError } from "@calcom/lib/checkRateLimitAndThrowError";
import { defaultHandler } from "@calcom/lib/server";
import { getTranslation } from "@calcom/lib/server/i18n";
import prisma from "@calcom/prisma";

async function handler(req: NextApiRequest, res: NextApiResponse) {
  const email = z
    .string()
    .email()
    .transform((val) => val.toLowerCase())
    .safeParse(req.body?.email);

  if (!email.success) {
    return res.status(400).json({ message: "email is required" });
  }

  // fallback to email if ip is not present
  let ip = (req.headers["x-real-ip"] as string) ?? email.data;

  const forwardedFor = req.headers["x-forwarded-for"] as string;
  if (!ip && forwardedFor) {
    ip = forwardedFor?.split(",").at(0) ?? email.data;
  }

  // 10 requests per minute

  await checkRateLimitAndThrowError({
    rateLimitingType: "core",
    identifier: ip,
  });

  try {
    const maybeUser = await prisma.user.findUnique({
      where: {
        email: email.data,
      },
      select: {
        name: true,
        identityProvider: true,
        email: true,
        locale: true,
      },
    });

    if (!maybeUser) {
      // Don't leak information about whether an email is registered or not
      return res
        .status(200)
        .json({ message: "If this email exists in our system, you should receive a Reset email." });
    }

    const t = await getTranslation(maybeUser.locale ?? "en", "common");

    const maybePreviousRequest = await prisma.resetPasswordRequest.findMany({
      where: {
        email: maybeUser.email,
        expires: {
          gt: new Date(),
        },
      },
    });

    let passwordRequest: ResetPasswordRequest;

    if (maybePreviousRequest && maybePreviousRequest?.length >= 1) {
      passwordRequest = maybePreviousRequest[0];
    } else {
      const expiry = dayjs().add(PASSWORD_RESET_EXPIRY_HOURS, "hours").toDate();
      const createdResetPasswordRequest = await prisma.resetPasswordRequest.create({
        data: {
          email: maybeUser.email,
          expires: expiry,
        },
      });
      passwordRequest = createdResetPasswordRequest;
    }

    const resetLink = `${process.env.NEXT_PUBLIC_WEBAPP_URL}/auth/forgot-password/${passwordRequest.id}`;
    await sendPasswordResetEmail({
      language: t,
      user: maybeUser,
      resetLink,
    });

    return res
      .status(201)
      .json({ message: "If this email exists in our system, you should receive a Reset email." });
  } catch (reason) {
    // console.error(reason);
    return res.status(500).json({ message: "Unable to create password reset request" });
  }
}

export default defaultHandler({
  POST: Promise.resolve({ default: handler }),
});
Enforces explicit type imports (#7158) * Enforces explicit type imports * Upgrades typescript-eslint * Upgrades eslint related dependencies * Update config * Sync packages mismatches * Syncs prettier version * Linting * Relocks node version * Fixes * Locks @vitejs/plugin-react to 1.3.2 * Linting 2023-02-16 22:39:57 +00:00			`import type { ResetPasswordRequest } from "@prisma/client";`
			`import type { NextApiRequest, NextApiResponse } from "next";`
feat: add rate limiting to reset password endpoint (#7700) * feat: add rate limiting to reset password endpoint * Update apps/web/pages/api/auth/forgot-password.ts --------- Co-authored-by: Alex van Andel <me@alexvanandel.com> Co-authored-by: Omar López <zomars@me.com> 2023-03-20 11:20:29 +00:00			`import { z } from "zod";`
Suggestion: let prettier sort imports order (#673) * Suggestion: let prettier sort imports order # Conflicts: # yarn.lock * AUTO SORT ALL THE IMPORTS * Linting * Fixes test 2021-09-22 19:52:38 +00:00
Consolidates dayjs in a single package 2022-06-28 20:40:58 +00:00			`import dayjs from "@calcom/dayjs";`
Refactor emails to use JSX as templating engine (#2915) * Init Maizzle * Initial template JSX conversion and testing * WIP * WIP * WIP * WIP * WIP * Migrated AttendeeRescheduledEmail * WIP * WIP * DRY * Cleanup * Cleanup * Cleanup * Migrate feedback email * Migrates ForgotPasswordEmail * Migrates OrganizerCancelledEmail * Migrated OrganizerLocationChangeEmail * Formatting * Migrated AttendeeRequestRescheduledEmail * Migrates OrganizerPaymentRefundFailedEmail * Migrates OrganizerRequestEmail * Migrates OrganizerRequestReminderEmail * Fixes type-check * Moved email-manager to package * Import fixes * Removed duplicate email code from vital app * Removed duplicate email code from wipemycal * Build/type fixes * Fixes web email imports * Fixes build * Embed build fixes * Update AttendeeAwaitingPaymentEmail.tsx * Update default-cookies.ts * Revert "Embed build fixes" This reverts commit 8d693e99aca6dfe92d5cbb27ffa962545c3e9389. * Embed build fixes # Conflicts: # packages/embeds/embed-core/package.json * dep and email date fixes * Update attendee-scheduled-email.ts * Update package.json * Update [...nextauth].tsx * Update email.ts * Prevents /api/email on production builds Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-06-06 17:49:56 +00:00			`import { sendPasswordResetEmail } from "@calcom/emails";`
			`import { PASSWORD_RESET_EXPIRY_HOURS } from "@calcom/emails/templates/forgot-password-email";`
feat: ratelimit - ratelimit refactor + tests (#9744) Co-authored-by: Omar López <zomars@me.com> 2023-06-26 19:44:58 +00:00			`import { checkRateLimitAndThrowError } from "@calcom/lib/checkRateLimitAndThrowError";`
fix: use ip address in forgot password rate limitation (#7832) * feat: use IP address for rate limiting * fix: use mail as the last choice * fix: fallback to ip * fix: endpoint * fix: endpoint 2023-05-30 19:26:29 +00:00			`import { defaultHandler } from "@calcom/lib/server";`
WIP: SIU: Maximum call stack size exceeded fix? (#6740) * Maximum call stack size exceeded fix? # Conflicts: # packages/prisma/index.ts * Prisma client extensions is too much for our TS * Removed unused Icons * Type fixes 2023-01-26 22:51:03 +00:00			`import { getTranslation } from "@calcom/lib/server/i18n";`
Consolidates dayjs in a single package 2022-06-28 20:40:58 +00:00			`import prisma from "@calcom/prisma";`
feat: add translations for emails and type error fixes overall (#994) * feat: add translations for forgot password email and misc * fix: type fixes * feat: translate invitation email * fix: e2e tests * fix: lint * feat: type fixes and i18n for emails * Merge main * fix: jest import on server path * Merge * fix: playwright tests * fix: lint Co-authored-by: Bailey Pumfleet <pumfleet@hey.com> 2021-10-25 13:05:21 +00:00
fix: use ip address in forgot password rate limitation (#7832) * feat: use IP address for rate limiting * fix: use mail as the last choice * fix: fallback to ip * fix: endpoint * fix: endpoint 2023-05-30 19:26:29 +00:00			`async function handler(req: NextApiRequest, res: NextApiResponse) {`
feat: add rate limiting to reset password endpoint (#7700) * feat: add rate limiting to reset password endpoint * Update apps/web/pages/api/auth/forgot-password.ts --------- Co-authored-by: Alex van Andel <me@alexvanandel.com> Co-authored-by: Omar López <zomars@me.com> 2023-03-20 11:20:29 +00:00			`const email = z`
			`.string()`
			`.email()`
			`.transform((val) => val.toLowerCase())`
fix: use ip address in forgot password rate limitation (#7832) * feat: use IP address for rate limiting * fix: use mail as the last choice * fix: fallback to ip * fix: endpoint * fix: endpoint 2023-05-30 19:26:29 +00:00			`.safeParse(req.body?.email);`
feat: add rate limiting to reset password endpoint (#7700) * feat: add rate limiting to reset password endpoint * Update apps/web/pages/api/auth/forgot-password.ts --------- Co-authored-by: Alex van Andel <me@alexvanandel.com> Co-authored-by: Omar López <zomars@me.com> 2023-03-20 11:20:29 +00:00
fix: use ip address in forgot password rate limitation (#7832) * feat: use IP address for rate limiting * fix: use mail as the last choice * fix: fallback to ip * fix: endpoint * fix: endpoint 2023-05-30 19:26:29 +00:00			`if (!email.success) {`
			`return res.status(400).json({ message: "email is required" });`
			`}`
feat: add rate limiting to reset password endpoint (#7700) * feat: add rate limiting to reset password endpoint * Update apps/web/pages/api/auth/forgot-password.ts --------- Co-authored-by: Alex van Andel <me@alexvanandel.com> Co-authored-by: Omar López <zomars@me.com> 2023-03-20 11:20:29 +00:00
fix: use ip address in forgot password rate limitation (#7832) * feat: use IP address for rate limiting * fix: use mail as the last choice * fix: fallback to ip * fix: endpoint * fix: endpoint 2023-05-30 19:26:29 +00:00			`// fallback to email if ip is not present`
			`let ip = (req.headers["x-real-ip"] as string) ?? email.data;`

			`const forwardedFor = req.headers["x-forwarded-for"] as string;`
			`if (!ip && forwardedFor) {`
			`ip = forwardedFor?.split(",").at(0) ?? email.data;`
feat: add rate limiting to reset password endpoint (#7700) * feat: add rate limiting to reset password endpoint * Update apps/web/pages/api/auth/forgot-password.ts --------- Co-authored-by: Alex van Andel <me@alexvanandel.com> Co-authored-by: Omar López <zomars@me.com> 2023-03-20 11:20:29 +00:00			`}`
feat: add translations for emails and type error fixes overall (#994) * feat: add translations for forgot password email and misc * fix: type fixes * feat: translate invitation email * fix: e2e tests * fix: lint * feat: type fixes and i18n for emails * Merge main * fix: jest import on server path * Merge * fix: playwright tests * fix: lint Co-authored-by: Bailey Pumfleet <pumfleet@hey.com> 2021-10-25 13:05:21 +00:00
fix: use ip address in forgot password rate limitation (#7832) * feat: use IP address for rate limiting * fix: use mail as the last choice * fix: fallback to ip * fix: endpoint * fix: endpoint 2023-05-30 19:26:29 +00:00			`// 10 requests per minute`

feat: ratelimit - ratelimit refactor + tests (#9744) Co-authored-by: Omar López <zomars@me.com> 2023-06-26 19:44:58 +00:00			`await checkRateLimitAndThrowError({`
			`rateLimitingType: "core",`
feat: Upstash implementation for rate limiting/redis (#9514) * Introduce rate limiting that works on the edge * typo * Log once on init * Update rateLimit.ts --------- Co-authored-by: zomars <zomars@me.com> 2023-06-19 10:01:06 +00:00			`identifier: ip,`
			`});`

Allow user to reset password 2021-06-24 15:59:11 +00:00			`try {`
feat: add translations for emails and type error fixes overall (#994) * feat: add translations for forgot password email and misc * fix: type fixes * feat: translate invitation email * fix: e2e tests * fix: lint * feat: type fixes and i18n for emails * Merge main * fix: jest import on server path * Merge * fix: playwright tests * fix: lint Co-authored-by: Bailey Pumfleet <pumfleet@hey.com> 2021-10-25 13:05:21 +00:00			`const maybeUser = await prisma.user.findUnique({`
Allow user to reset password 2021-06-24 15:59:11 +00:00			`where: {`
fix: use ip address in forgot password rate limitation (#7832) * feat: use IP address for rate limiting * fix: use mail as the last choice * fix: fallback to ip * fix: endpoint * fix: endpoint 2023-05-30 19:26:29 +00:00			`email: email.data,`
Allow user to reset password 2021-06-24 15:59:11 +00:00			`},`
			`select: {`
			`name: true,`
Add log in with Google and SAML (#1192) * Add log in with Google * Fix merge conflicts * Merge branch 'main' into feature/copy-add-identity-provider # Conflicts: # pages/api/auth/[...nextauth].tsx # pages/api/auth/forgot-password.ts # pages/settings/security.tsx # prisma/schema.prisma # public/static/locales/en/common.json * WIP: SAML login * fixed login * fixed verified_email check for Google * tweaks to padding * added BoxyHQ SAML service to local docker-compose * identityProvider is missing from the select clause * user may be undefined * fix for yarn build * Added SAML configuration to Settings -> Security page * UI tweaks * get saml login flag from the server * UI tweaks * moved SAMLConfiguration to a component in ee * updated saml migration date * fixed merge conflict * fixed merge conflict * lint fixes * check-types fixes * check-types fixes * fixed type errors * updated docker image for SAML Jackson * added api keys config * added default values for SAML_TENANT_ID and SAML_PRODUCT_ID * - move all env vars related to saml into a separate file for easy access - added SAML_ADMINS comma separated list of emails that will be able to configure the SAML metadata * cleanup after merging main * revert mistake during merge * revert mistake during merge * set info text to indicate SAML has been configured. * tweaks to text * tweaks to text * i18n text * i18n text * tweak * use a separate db for saml to avoid Prisma schema being out of sync * use separate docker-compose file for saml * padding tweak * Prepare for implementing SAML login for the hosted solution * WIP: Support for SAML in the hosted solution * teams view has changed, adjusting saml changes accordingly * enabled SAML only for PRO plan * if user was invited and signs in via saml/google then update the user record * WIP: embed saml lib * 302 instead of 307 * no separate docker-compose file for saml * - ogs cleanup - type fixes * fixed types for jackson * cleaned up cors, not needed by the oauth flow * updated jackson to support encryption at rest * updated saml-jackson lib * allow only the required http methods * fixed issue with latest merge with main * - Added instructions for deploying SAML support - Tweaked SAML audience identifier * fixed check for hosted Cal instance * Added a new route to initiate Google and SAML login flows * updated saml-jackson lib (node engine version is now 14.x or above) * moved SAML instructions from Google Docs to a docs file * moved randomString to lib * comment SAML_DATABASE_URL and SAML_ADMINS in .env.example so that default is SAML off. * fixed path to randomString * updated @boxyhq/saml-jackson to v0.3.0 * fixed TS errors * tweaked SAML config UI * fixed types * added e2e test for Google login * setup secrets for Google login test * test for OAuth login buttons (Google and SAML) * enabled saml for the test * added test for SAML config UI * fixed nextauth import * use pkce flow * tweaked NextAuth config for saml * updated saml-jackson * added ability to delete SAML configuration * SAML variables explainers and refactoring * Prevents constant collision * Var name changes * Env explainers * better validation for email Co-authored-by: Omar López <zomars@me.com> * enabled GOOGLE_API_CREDENTIALS in e2e tests (Github Actions secret) * cleanup (will create an issue to handle forgot password for Google and SAML identities) Co-authored-by: Chris <76668588+bytesbuffer@users.noreply.github.com> Co-authored-by: Omar López <zomars@me.com> 2022-01-13 20:05:23 +00:00			`identityProvider: true,`
Use the matched user email to send the password reset to (#1366) 2021-12-21 17:31:32 +00:00			`email: true,`
fix: Use user locale for sending password resets (#10104) 2023-07-12 19:04:07 +00:00			`locale: true,`
Allow user to reset password 2021-06-24 15:59:11 +00:00			`},`
			`});`

			`if (!maybeUser) {`
V2 password reset design (#4327) * using new v2 buttons in password reset * Forgot password UI * Logo updates * change error copy * Fix tests Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> Co-authored-by: sean-brydon <55134778+sean-brydon@users.noreply.github.com> Co-authored-by: Hariom Balhara <hariombalhara@gmail.com> 2022-09-12 09:25:54 +00:00			`// Don't leak information about whether an email is registered or not`
			`return res`
			`.status(200)`
			`.json({ message: "If this email exists in our system, you should receive a Reset email." });`
Allow user to reset password 2021-06-24 15:59:11 +00:00			`}`

fix: Use user locale for sending password resets (#10104) 2023-07-12 19:04:07 +00:00			`const t = await getTranslation(maybeUser.locale ?? "en", "common");`

Allow user to reset password 2021-06-24 15:59:11 +00:00			`const maybePreviousRequest = await prisma.resetPasswordRequest.findMany({`
			`where: {`
Use the matched user email to send the password reset to (#1366) 2021-12-21 17:31:32 +00:00			`email: maybeUser.email,`
Allow user to reset password 2021-06-24 15:59:11 +00:00			`expires: {`
Use the matched user email to send the password reset to (#1366) 2021-12-21 17:31:32 +00:00			`gt: new Date(),`
Allow user to reset password 2021-06-24 15:59:11 +00:00			`},`
			`},`
			`});`

			`let passwordRequest: ResetPasswordRequest;`

			`if (maybePreviousRequest && maybePreviousRequest?.length >= 1) {`
			`passwordRequest = maybePreviousRequest[0];`
			`} else {`
Emails Revamp (#1201) * refactor: emails (WIP) * wip * wip * refactor: calendarClient * chore: remove comment * feat: new templates * feat: more templates (wip) * feat: email templates wip * feat: email templates wip * feat: prepare for testing * For testing stripe integration * Uses imported BASE_URL * Fixes types * use BASE_URL Co-authored-by: Omar López <zomars@me.com> Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2021-11-26 11:03:43 +00:00			`const expiry = dayjs().add(PASSWORD_RESET_EXPIRY_HOURS, "hours").toDate();`
Allow user to reset password 2021-06-24 15:59:11 +00:00			`const createdResetPasswordRequest = await prisma.resetPasswordRequest.create({`
			`data: {`
Use the matched user email to send the password reset to (#1366) 2021-12-21 17:31:32 +00:00			`email: maybeUser.email,`
Allow user to reset password 2021-06-24 15:59:11 +00:00			`expires: expiry,`
			`},`
			`});`
			`passwordRequest = createdResetPasswordRequest;`
			`}`

The Dotenv Refactor (#2275) * dotenv refactoring * dotenv fixes * Env variables cleanup * Updates e2e variables * Moves environment file to types * Removes conflicting configs * Readds missing variables * Fixes * More fixes * Update .env.example * Update yarn.lock * Update turbo.json * Fixes e2e * Temp fix * disables cache for lint * Please work * I'm getting desperate here. * Matches node versions * Take 2 * Revert "Take 2" This reverts commit a735f47f2325c2040168e0cd99dea0fc357a791f. * Update .env.example 2022-03-26 00:39:38 +00:00			const resetLink = `${process.env.NEXT_PUBLIC_WEBAPP_URL}/auth/forgot-password/${passwordRequest.id}`;
Refactor emails to use JSX as templating engine (#2915) * Init Maizzle * Initial template JSX conversion and testing * WIP * WIP * WIP * WIP * WIP * Migrated AttendeeRescheduledEmail * WIP * WIP * DRY * Cleanup * Cleanup * Cleanup * Migrate feedback email * Migrates ForgotPasswordEmail * Migrates OrganizerCancelledEmail * Migrated OrganizerLocationChangeEmail * Formatting * Migrated AttendeeRequestRescheduledEmail * Migrates OrganizerPaymentRefundFailedEmail * Migrates OrganizerRequestEmail * Migrates OrganizerRequestReminderEmail * Fixes type-check * Moved email-manager to package * Import fixes * Removed duplicate email code from vital app * Removed duplicate email code from wipemycal * Build/type fixes * Fixes web email imports * Fixes build * Embed build fixes * Update AttendeeAwaitingPaymentEmail.tsx * Update default-cookies.ts * Revert "Embed build fixes" This reverts commit 8d693e99aca6dfe92d5cbb27ffa962545c3e9389. * Embed build fixes # Conflicts: # packages/embeds/embed-core/package.json * dep and email date fixes * Update attendee-scheduled-email.ts * Update package.json * Update [...nextauth].tsx * Update email.ts * Prevents /api/email on production builds Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-06-06 17:49:56 +00:00			`await sendPasswordResetEmail({`
feat: add translations for emails and type error fixes overall (#994) * feat: add translations for forgot password email and misc * fix: type fixes * feat: translate invitation email * fix: e2e tests * fix: lint * feat: type fixes and i18n for emails * Merge main * fix: jest import on server path * Merge * fix: playwright tests * fix: lint Co-authored-by: Bailey Pumfleet <pumfleet@hey.com> 2021-10-25 13:05:21 +00:00			`language: t,`
Use the matched user email to send the password reset to (#1366) 2021-12-21 17:31:32 +00:00			`user: maybeUser,`
Upgrades next-auth to v4 (#1185) * Upgrades next-auth to v4 * Fixes next-auth session types * Type fixes * Fixes login issue * Team page fixes * Type fixes * Fixes secret * Adds test for forgotten password * Skips if pw secret is undefined * Prevents error if PW secret is undefined * Adds PLAYWRIGHT_SECRET explainer * Adds pending auth TODOs * Adds missing secret * Fixed imports * Fixed imports * Type fixes * Test fixes Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-01-07 20:23:37 +00:00			`resetLink,`
Refactor emails to use JSX as templating engine (#2915) * Init Maizzle * Initial template JSX conversion and testing * WIP * WIP * WIP * WIP * WIP * Migrated AttendeeRescheduledEmail * WIP * WIP * DRY * Cleanup * Cleanup * Cleanup * Migrate feedback email * Migrates ForgotPasswordEmail * Migrates OrganizerCancelledEmail * Migrated OrganizerLocationChangeEmail * Formatting * Migrated AttendeeRequestRescheduledEmail * Migrates OrganizerPaymentRefundFailedEmail * Migrates OrganizerRequestEmail * Migrates OrganizerRequestReminderEmail * Fixes type-check * Moved email-manager to package * Import fixes * Removed duplicate email code from vital app * Removed duplicate email code from wipemycal * Build/type fixes * Fixes web email imports * Fixes build * Embed build fixes * Update AttendeeAwaitingPaymentEmail.tsx * Update default-cookies.ts * Revert "Embed build fixes" This reverts commit 8d693e99aca6dfe92d5cbb27ffa962545c3e9389. * Embed build fixes # Conflicts: # packages/embeds/embed-core/package.json * dep and email date fixes * Update attendee-scheduled-email.ts * Update package.json * Update [...nextauth].tsx * Update email.ts * Prevents /api/email on production builds Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2022-06-06 17:49:56 +00:00			`});`
Allow user to reset password 2021-06-24 15:59:11 +00:00
fix: Password reset tests & better expiry checking (#10102) 2023-07-12 17:27:41 +00:00			`return res`
			`.status(201)`
			`.json({ message: "If this email exists in our system, you should receive a Reset email." });`
Allow user to reset password 2021-06-24 15:59:11 +00:00			`} catch (reason) {`
Use the matched user email to send the password reset to (#1366) 2021-12-21 17:31:32 +00:00			`// console.error(reason);`
Allow user to reset password 2021-06-24 15:59:11 +00:00			`return res.status(500).json({ message: "Unable to create password reset request" });`
			`}`
			`}`
fix: use ip address in forgot password rate limitation (#7832) * feat: use IP address for rate limiting * fix: use mail as the last choice * fix: fallback to ip * fix: endpoint * fix: endpoint 2023-05-30 19:26:29 +00:00
			`export default defaultHandler({`
			`POST: Promise.resolve({ default: handler }),`
			`});`