2023-02-16 22:39:57 +00:00
|
|
|
import type { ResetPasswordRequest } from "@prisma/client";
|
|
|
|
import type { NextApiRequest, NextApiResponse } from "next";
|
2023-03-20 11:20:29 +00:00
|
|
|
import { z } from "zod";
|
2021-09-22 19:52:38 +00:00
|
|
|
|
2022-06-28 20:40:58 +00:00
|
|
|
import dayjs from "@calcom/dayjs";
|
2022-06-06 17:49:56 +00:00
|
|
|
import { sendPasswordResetEmail } from "@calcom/emails";
|
|
|
|
import { PASSWORD_RESET_EXPIRY_HOURS } from "@calcom/emails/templates/forgot-password-email";
|
2023-06-26 19:44:58 +00:00
|
|
|
import { checkRateLimitAndThrowError } from "@calcom/lib/checkRateLimitAndThrowError";
|
2023-05-30 19:26:29 +00:00
|
|
|
import { defaultHandler } from "@calcom/lib/server";
|
2023-01-26 22:51:03 +00:00
|
|
|
import { getTranslation } from "@calcom/lib/server/i18n";
|
2022-06-28 20:40:58 +00:00
|
|
|
import prisma from "@calcom/prisma";
|
2021-10-25 13:05:21 +00:00
|
|
|
|
2023-05-30 19:26:29 +00:00
|
|
|
async function handler(req: NextApiRequest, res: NextApiResponse) {
|
2021-10-25 13:05:21 +00:00
|
|
|
const t = await getTranslation(req.body.language ?? "en", "common");
|
2023-05-30 19:26:29 +00:00
|
|
|
|
2023-03-20 11:20:29 +00:00
|
|
|
const email = z
|
|
|
|
.string()
|
|
|
|
.email()
|
|
|
|
.transform((val) => val.toLowerCase())
|
2023-05-30 19:26:29 +00:00
|
|
|
.safeParse(req.body?.email);
|
2023-03-20 11:20:29 +00:00
|
|
|
|
2023-05-30 19:26:29 +00:00
|
|
|
if (!email.success) {
|
|
|
|
return res.status(400).json({ message: "email is required" });
|
|
|
|
}
|
2023-03-20 11:20:29 +00:00
|
|
|
|
2023-05-30 19:26:29 +00:00
|
|
|
// fallback to email if ip is not present
|
|
|
|
let ip = (req.headers["x-real-ip"] as string) ?? email.data;
|
|
|
|
|
|
|
|
const forwardedFor = req.headers["x-forwarded-for"] as string;
|
|
|
|
if (!ip && forwardedFor) {
|
|
|
|
ip = forwardedFor?.split(",").at(0) ?? email.data;
|
2023-03-20 11:20:29 +00:00
|
|
|
}
|
2021-10-25 13:05:21 +00:00
|
|
|
|
2023-05-30 19:26:29 +00:00
|
|
|
// 10 requests per minute
|
|
|
|
|
2023-06-26 19:44:58 +00:00
|
|
|
await checkRateLimitAndThrowError({
|
|
|
|
rateLimitingType: "core",
|
2023-06-19 10:01:06 +00:00
|
|
|
identifier: ip,
|
|
|
|
});
|
|
|
|
|
2021-06-24 15:59:11 +00:00
|
|
|
try {
|
2021-10-25 13:05:21 +00:00
|
|
|
const maybeUser = await prisma.user.findUnique({
|
2021-06-24 15:59:11 +00:00
|
|
|
where: {
|
2023-05-30 19:26:29 +00:00
|
|
|
email: email.data,
|
2021-06-24 15:59:11 +00:00
|
|
|
},
|
|
|
|
select: {
|
|
|
|
name: true,
|
2022-01-13 20:05:23 +00:00
|
|
|
identityProvider: true,
|
2021-12-21 17:31:32 +00:00
|
|
|
email: true,
|
2021-06-24 15:59:11 +00:00
|
|
|
},
|
|
|
|
});
|
|
|
|
|
|
|
|
if (!maybeUser) {
|
2022-09-12 09:25:54 +00:00
|
|
|
// Don't leak information about whether an email is registered or not
|
|
|
|
return res
|
|
|
|
.status(200)
|
|
|
|
.json({ message: "If this email exists in our system, you should receive a Reset email." });
|
2021-06-24 15:59:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
const maybePreviousRequest = await prisma.resetPasswordRequest.findMany({
|
|
|
|
where: {
|
2021-12-21 17:31:32 +00:00
|
|
|
email: maybeUser.email,
|
2021-06-24 15:59:11 +00:00
|
|
|
expires: {
|
2021-12-21 17:31:32 +00:00
|
|
|
gt: new Date(),
|
2021-06-24 15:59:11 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
});
|
|
|
|
|
|
|
|
let passwordRequest: ResetPasswordRequest;
|
|
|
|
|
|
|
|
if (maybePreviousRequest && maybePreviousRequest?.length >= 1) {
|
|
|
|
passwordRequest = maybePreviousRequest[0];
|
|
|
|
} else {
|
2021-11-26 11:03:43 +00:00
|
|
|
const expiry = dayjs().add(PASSWORD_RESET_EXPIRY_HOURS, "hours").toDate();
|
2021-06-24 15:59:11 +00:00
|
|
|
const createdResetPasswordRequest = await prisma.resetPasswordRequest.create({
|
|
|
|
data: {
|
2021-12-21 17:31:32 +00:00
|
|
|
email: maybeUser.email,
|
2021-06-24 15:59:11 +00:00
|
|
|
expires: expiry,
|
|
|
|
},
|
|
|
|
});
|
|
|
|
passwordRequest = createdResetPasswordRequest;
|
|
|
|
}
|
|
|
|
|
2022-03-26 00:39:38 +00:00
|
|
|
const resetLink = `${process.env.NEXT_PUBLIC_WEBAPP_URL}/auth/forgot-password/${passwordRequest.id}`;
|
2022-06-06 17:49:56 +00:00
|
|
|
await sendPasswordResetEmail({
|
2021-10-25 13:05:21 +00:00
|
|
|
language: t,
|
2021-12-21 17:31:32 +00:00
|
|
|
user: maybeUser,
|
2022-01-07 20:23:37 +00:00
|
|
|
resetLink,
|
2022-06-06 17:49:56 +00:00
|
|
|
});
|
2021-06-24 15:59:11 +00:00
|
|
|
|
2022-01-07 20:23:37 +00:00
|
|
|
/** So we can test the password reset flow on CI */
|
2022-03-17 19:36:11 +00:00
|
|
|
if (process.env.NEXT_PUBLIC_IS_E2E) {
|
2022-09-12 09:25:54 +00:00
|
|
|
return res.status(201).json({
|
|
|
|
message: "If this email exists in our system, you should receive a Reset email.",
|
|
|
|
resetLink,
|
|
|
|
});
|
2022-03-26 00:39:38 +00:00
|
|
|
} else {
|
2022-09-12 09:25:54 +00:00
|
|
|
return res
|
|
|
|
.status(201)
|
|
|
|
.json({ message: "If this email exists in our system, you should receive a Reset email." });
|
2022-01-07 20:23:37 +00:00
|
|
|
}
|
2021-06-24 15:59:11 +00:00
|
|
|
} catch (reason) {
|
2021-12-21 17:31:32 +00:00
|
|
|
// console.error(reason);
|
2021-06-24 15:59:11 +00:00
|
|
|
return res.status(500).json({ message: "Unable to create password reset request" });
|
|
|
|
}
|
|
|
|
}
|
2023-05-30 19:26:29 +00:00
|
|
|
|
|
|
|
export default defaultHandler({
|
|
|
|
POST: Promise.resolve({ default: handler }),
|
|
|
|
});
|