Merge pull request #1023 from hpcc-systems/yadhap/account-change-notifications

 Send alerts when password or any account information is changed

Author: FancMa01

Tombolo/server/controllers/authController.js

@@ -5,6 +5,7 @@ const axios = require("axios");
 const logger = require("../config/logger");
 const roleTypes = require("../config/roleTypes");
 const models = require("../models");
+const moment = require("moment");
 const {
   generateAccessToken,
   generateRefreshToken,
@@ -20,8 +21,9 @@ const {
   setLastLogin,
 } = require("../utils/authUtil");
 const { blacklistToken } = require("../utils/tokenBlackListing");
+const sequelize = require("../models").sequelize;
 
-const User = models.user;
+const User = models.user
 const UserRoles = models.UserRoles;
 const user_application = models.user_application;
 const Application = models.application;
@@ -337,13 +339,17 @@ const verifyEmail = async (req, res) => {
 
 //Reset Password With Token - Self Requested
 const resetPasswordWithToken = async (req, res) => {
+  const transaction = await sequelize.transaction();
   try {
     const { password, token, deviceInfo } = req.body;
 
     // From AccountVerificationCodes table findUser ID by code, where code is resetToken
-    const accountVerificationCode = await AccountVerificationCodes.findOne({
-      where: { code: token },
-    });
+    const accountVerificationCode = await AccountVerificationCodes.findOne(
+      {
+        where: { code: token },
+      },
+      { transaction }
+    );
 
     // If accountVerificationCode not found
     if (!accountVerificationCode) {
@@ -397,22 +403,26 @@ const resetPasswordWithToken = async (req, res) => {
       },
       {
         where: { id: user.id },
+        transaction,
       }
     );
 
     // Delete the account verification code
     await AccountVerificationCodes.destroy({
       where: { code: token },
+      transaction,
     });
 
     //delete password reset link
     await PasswordResetLinks.destroy({
       where: { id: token },
+      transaction,
     });
 
     //remove all sessions for user before initiating new session
     await RefreshTokens.destroy({
       where: { userId: user.id },
+      transaction,
     });
 
     // Create token id
@@ -428,15 +438,18 @@ const resetPasswordWithToken = async (req, res) => {
     const { iat, exp } = jwt.decode(refreshToken);
 
     // Save refresh token in DB
-    await RefreshTokens.create({
-      id: tokenId,
-      userId: user.id,
-      token: refreshToken,
-      deviceInfo,
-      metaData: {},
-      iat: new Date(iat * 1000),
-      exp: new Date(exp * 1000),
-    });
+    await RefreshTokens.create(
+      {
+        id: tokenId,
+        userId: user.id,
+        token: refreshToken,
+        deviceInfo,
+        metaData: {},
+        iat: new Date(iat * 1000),
+        exp: new Date(exp * 1000),
+      },
+      { transaction }
+    );
 
     await setTokenCookie(res, accessToken);
 
@@ -453,13 +466,43 @@ const resetPasswordWithToken = async (req, res) => {
     // remove hash from user object
     delete userObj.hash;
 
+    // Send notification informing user that password has been reset
+    const readable_notification = `ACC_CNG_${moment().format(
+      "YYYYMMDD_HHmmss_SSS"
+    )}`;
+
+    await NotificationQueue.create(
+      {
+        type: "email",
+        templateName: "accountChange",
+        notificationOrigin: "Password Reset",
+        deliveryType: "immediate",
+        metaData: {
+          notificationId: readable_notification,
+          recipientName: `${userObj.firstName} ${userObj.lastName}`,
+          notificationOrigin: "Password Reset",
+          subject: "Your password has been changed",
+          mainRecipients: [userObj.email],
+          notificationDescription: "Password Reset",
+          changedInfo: ["password"],
+        },
+        createdBy: user.id,
+      },
+      { transaction }
+    );
+
+    // Commit the transaction
+    await transaction.commit();
+
     // Success response
     res.status(200).json({
       success: true,
       message: "Password updated successfully",
       data: userObj,
     });
   } catch (err) {
+    // Rollback the transaction
+    await transaction.rollback();
     logger.error(`Reset Temp Password: ${err.message}`);
     res
       .status(err.status || 500)

Tombolo/server/controllers/userController.js

@@ -51,6 +51,8 @@ const deleteUser = async (req, res) => {
 
 // Patch user with ID - not password
 const updateBasicUserInfo = async (req, res) => {
+  const t = await sequelize.transaction(); // Start a transaction
+
   try {
     const { id } = req.params;
     const {
@@ -61,20 +63,24 @@ const updateBasicUserInfo = async (req, res) => {
       verifiedUser,
     } = req.body;
 
-    // Find existing user details
-    const existingUser = await User.findOne({ where: { id } });
+    // Find existing user details within the transaction
+    const existingUser = await User.findOne({ where: { id }, transaction: t });
 
     // If user not found
     if (!existingUser) {
       throw { status: 404, message: "User not found" };
     }
 
+    const changedInfo = [];
+
     if (firstName) {
       existingUser.firstName = firstName;
+      changedInfo.push("firstName");
     }
 
     if (lastName) {
       existingUser.lastName = lastName;
+      changedInfo.push("lastName");
     }
 
     if (registrationMethod) {
@@ -85,7 +91,7 @@ const updateBasicUserInfo = async (req, res) => {
       existingUser.registrationStatus = registrationStatus;
     }
 
-    if (verifiedUser !== undefined || verifiedUser !== null) {
+    if (verifiedUser !== undefined && verifiedUser !== null) {
       existingUser.verifiedUser = verifiedUser;
     }
 
@@ -94,15 +100,44 @@ const updateBasicUserInfo = async (req, res) => {
       throw { status: 400, message: "No update payload provided" };
     }
 
-    // Save user with updated details
-    const updatedUser = await existingUser.save();
+    // Save user with updated details within the transaction
+    const updatedUser = await existingUser.save({ transaction: t });
+
+    // Queue notification within the same transaction
+    const readable_notification = `ACC_CNG_${moment().format(
+      "YYYYMMDD_HHmmss_SSS"
+    )}`;
+    await NotificationQueue.create(
+      {
+        type: "email",
+        templateName: "accountChange",
+        notificationOrigin: "User Management",
+        deliveryType: "immediate",
+        metaData: {
+          notificationId: readable_notification,
+          recipientName: `${updatedUser.firstName} ${updatedUser.lastName}`,
+          notificationOrigin: "User Management",
+          subject: "Account Change",
+          mainRecipients: [updatedUser.email],
+          notificationDescription: "Account Change",
+          changedInfo,
+        },
+        createdBy: req.user.id,
+      },
+      { transaction: t }
+    );
+
+    // Commit the transaction
+    await t.commit();
 
     res.status(200).json({
       success: true,
       message: "User updated successfully",
       data: updatedUser,
     });
   } catch (err) {
+    // Rollback transaction if anything goes wrong
+    await t.rollback();
     logger.error(`Update user: ${err.message}`);
     res
       .status(err.status || 500)
@@ -159,14 +194,15 @@ const getAllUsers = async (req, res) => {
 
 //Update password - Ensure current password provided is correct
 const changePassword = async (req, res) => {
+  const t = await sequelize.transaction(); // Start transaction
+
   try {
     const { id } = req.params;
     const { currentPassword, newPassword } = req.body;
 
     // Find existing user details
-    const existingUser = await User.findOne({ where: { id } });
+    const existingUser = await User.findOne({ where: { id }, transaction: t });
 
-    // If user not found
     if (!existingUser) {
       throw { status: 404, message: "User not found" };
     }
@@ -176,7 +212,7 @@ const changePassword = async (req, res) => {
       throw { status: 400, message: "Current password is incorrect" };
     }
 
-    //check for password security violations
+    // Check for password security violations
     const errors = checkPasswordSecurityViolations({
       password: newPassword,
       user: existingUser,
@@ -190,31 +226,54 @@ const changePassword = async (req, res) => {
     const salt = bcrypt.genSaltSync(10);
     existingUser.hash = bcrypt.hashSync(newPassword, salt);
 
-    //set password expiry
+    // Set password expiry and previous passwords
     setPasswordExpiry(existingUser);
-
-    //set previous passwords
     setPreviousPasswords(existingUser);
 
     // Save user with updated details
-    const updatedUser = await User.update(
+    await User.update(
       {
         hash: existingUser.hash,
         metaData: existingUser.metaData,
         passwordExpiresAt: existingUser.passwordExpiresAt,
         forcePasswordReset: existingUser.forcePasswordReset,
       },
+      { where: { id }, transaction: t }
+    );
+
+    // Queue notification
+    const readable_notification = `ACC_CNG_${moment().format(
+      "YYYYMMDD_HHmmss_SSS"
+    )}`;
+    await NotificationQueue.create(
       {
-        where: { id },
-      }
+        type: "email",
+        templateName: "accountChange",
+        notificationOrigin: "User Management",
+        deliveryType: "immediate",
+        metaData: {
+          notificationId: readable_notification,
+          recipientName: `${existingUser.firstName} ${existingUser.lastName}`,
+          notificationOrigin: "User Management",
+          subject: "Account Change",
+          mainRecipients: [existingUser.email],
+          notificationDescription: "Account Change",
+          changedInfo: ["password"],
+        },
+        createdBy: req.user.id,
+      },
+      { transaction: t }
     );
 
+    // Commit transaction
+    await t.commit();
+
     res.status(200).json({
       success: true,
       message: "Password updated successfully",
-      data: updatedUser,
     });
   } catch (err) {
+    await t.rollback(); // Rollback on failure
     logger.error(`Change password: ${err.message}`);
     res
       .status(err.status || 500)