Mfancher/store prev passwords (#1015)

FancMa01 · web-flow · commit c4996bcf0f7e · 2025-02-11T15:12:22.000-05:00
* install bcrypt on front-end

* store prev passwords on backend

* Check for prev passwords on backend

* Update authUtil.js
diff --git a/Tombolo/client-reactjs/package-lock.json b/Tombolo/client-reactjs/package-lock.json
diff --git a/Tombolo/client-reactjs/package.json b/Tombolo/client-reactjs/package.json
@@ -12,6 +12,7 @@
     "@antv/x6-react-shape": "^2.2.3",
     "@monaco-editor/react": "^4.4.5",
     "antd": "^5.13.2",
+    "bcryptjs-react": "^2.4.6",
     "cronstrue": "^2.14.0",
     "dayjs": "^1.11.10",
     "font-awesome": "^4.7.0",
diff --git a/Tombolo/server/controllers/authController.js b/Tombolo/server/controllers/authController.js
@@ -14,11 +14,11 @@ const {
   setPasswordExpiry,
   setAndSendPasswordExpiredEmail,
   checkPasswordSecurityViolations,
+  setPreviousPasswords,
 } = require("../utils/authUtil");
 const { blacklistToken } = require("../utils/tokenBlackListing");
 
 const { generateAndSetCSRFToken } = require("../utils/authUtil");
-const { get } = require("lodash");
 
 const User = models.user;
 const UserRoles = models.UserRoles;
@@ -83,6 +83,7 @@ const createApplicationOwner = async (req, res) => {
     const salt = bcrypt.genSaltSync(10);
     payload.hash = bcrypt.hashSync(req.body.password, salt);
     setPasswordExpiry(payload);
+    setPreviousPasswords(payload);
 
     // Save user to DB
     const user = await User.create(payload);
@@ -167,6 +168,7 @@ const createBasicUser = async (req, res) => {
     const salt = bcrypt.genSaltSync(10);
     payload.hash = bcrypt.hashSync(req.body.password, salt);
     setPasswordExpiry(payload);
+    setPreviousPasswords(payload);
 
     // Save user to DB
     const user = await User.create(payload);
@@ -374,9 +376,20 @@ const resetPasswordWithToken = async (req, res) => {
     user.verifiedAt = new Date();
     user.forcePasswordReset = false;
     setPasswordExpiry(user);
+    setPreviousPasswords(user);
 
     // Save user with updated details
-    await user.save();
+    await User.update(
+      {
+        hash: user.hash,
+        metaData: user.metaData,
+        passwordExpiresAt: user.passwordExpiresAt,
+        forcePasswordReset: user.forcePasswordReset,
+      },
+      {
+        where: { id: user.id },
+      }
+    );
 
     // Delete the account verification code
     await AccountVerificationCodes.destroy({
@@ -490,9 +503,20 @@ const resetTempPassword = async (req, res) => {
     user.verifiedAt = new Date();
     user.forcePasswordReset = false;
     setPasswordExpiry(user);
+    setPreviousPasswords(user);
 
     // Save user with updated details
-    await user.save();
+    await User.update(
+      {
+        hash: user.hash,
+        metaData: user.metaData,
+        passwordExpiresAt: user.passwordExpiresAt,
+        forcePasswordReset: user.forcePasswordReset,
+      },
+      {
+        where: { id: user.id },
+      }
+    );
 
     // Delete the account verification code
     await AccountVerificationCodes.destroy({
diff --git a/Tombolo/server/controllers/userController.js b/Tombolo/server/controllers/userController.js
@@ -10,7 +10,11 @@ const user_application = models.user_application;
 const NotificationQueue = models.notification_queue;
 const AccountVerificationCodes = models.AccountVerificationCodes;
 
-const { setPasswordExpiry } = require("../utils/authUtil");
+const {
+  checkPasswordSecurityViolations,
+  setPasswordExpiry,
+  setPreviousPasswords,
+} = require("../utils/authUtil");
 
 // Delete user with ID
 const deleteUser = async (req, res) => {
@@ -163,15 +167,38 @@ const changePassword = async (req, res) => {
       throw { status: 400, message: "Current password is incorrect" };
     }
 
+    //check for password security violations
+    const errors = checkPasswordSecurityViolations({
+      password: newPassword,
+      user: existingUser,
+    });
+
+    if (errors.length > 0) {
+      throw { status: 400, message: errors };
+    }
+
     // Update password
     const salt = bcrypt.genSaltSync(10);
     existingUser.hash = bcrypt.hashSync(newPassword, salt);
 
     //set password expiry
     setPasswordExpiry(existingUser);
 
+    //set previous passwords
+    setPreviousPasswords(existingUser);
+
     // Save user with updated details
-    const updatedUser = await existingUser.save();
+    const updatedUser = await User.update(
+      {
+        hash: existingUser.hash,
+        metaData: existingUser.metaData,
+        passwordExpiresAt: existingUser.passwordExpiresAt,
+        forcePasswordReset: existingUser.forcePasswordReset,
+      },
+      {
+        where: { id },
+      }
+    );
 
     res.status(200).json({
       success: true,
diff --git a/Tombolo/server/controllers/wizardController.js b/Tombolo/server/controllers/wizardController.js
@@ -193,6 +193,7 @@ const createUser = async (
           third: false,
           final: false,
         },
+        previousPasswords: [hash],
       },
     },
     { transaction }
diff --git a/Tombolo/server/utils/authUtil.js b/Tombolo/server/utils/authUtil.js
@@ -7,6 +7,7 @@ const { Op } = require("sequelize");
 const logger = require("../config/logger");
 const model = require("../models");
 const { generateToken } = require("../middlewares/csrfMiddleware");
+const bcrypt = require("bcryptjs");
 
 // Constants
 const User = model.user;
@@ -131,18 +132,22 @@ const setPasswordExpiry = (user) => {
   return user;
 };
 
-
 // Get Support Notification Recipient's Emails
 const getSupportContactEmails = async () => {
   // Get Instance Setting
   const instanceSetting = await InstanceSettings.findOne({ raw: true });
 
-  let supportEmailRecipientsEmail = instanceSetting.metaData.supportEmailRecipients || [];
-  let supportEmailRecipientsRoles = instanceSetting.metaData.supportEmailRecipientsRoles || [];
+  let supportEmailRecipientsEmail =
+    instanceSetting.metaData.supportEmailRecipients || [];
+  let supportEmailRecipientsRoles =
+    instanceSetting.metaData.supportEmailRecipientsRoles || [];
   const supportRolesEmail = [];
 
   // If support email recipients exist and no support email recipients roles
- if(supportEmailRecipientsEmail.length > 0 && supportEmailRecipientsRoles.length === 0){
+  if (
+    supportEmailRecipientsEmail.length > 0 &&
+    supportEmailRecipientsRoles.length === 0
+  ) {
     return supportEmailRecipientsEmail;
   }
 
@@ -166,8 +171,6 @@ const getSupportContactEmails = async () => {
     ],
   });
 
-
-
   // Get the e-mail addresses
   ownerAndAdminEmails.forEach((user) => {
     supportRolesEmail.push(user.email);
@@ -182,12 +185,17 @@ const getAccessRequestContactEmails = async () => {
   // Get Instance Setting
   const instanceSetting = await InstanceSettings.findOne({ raw: true });
 
-  let accessRequestEmailRecipientsEmail = instanceSetting.metaData.accessRequestEmailRecipientsEmail || [];
-  let accessRequestEmailRecipientsRoles = instanceSetting.metaData.accessRequestEmailRecipientsRoles || [];
+  let accessRequestEmailRecipientsEmail =
+    instanceSetting.metaData.accessRequestEmailRecipientsEmail || [];
+  let accessRequestEmailRecipientsRoles =
+    instanceSetting.metaData.accessRequestEmailRecipientsRoles || [];
   const accessRequestRolesEmail = [];
 
   // If access email recipients exist and no support email recipients roles
-  if(accessRequestEmailRecipientsEmail.length > 0 && accessRequestEmailRecipientsRoles.length === 0){
+  if (
+    accessRequestEmailRecipientsEmail.length > 0 &&
+    accessRequestEmailRecipientsRoles.length === 0
+  ) {
     return accessRequestEmailRecipientsEmail;
   }
 
@@ -219,7 +227,6 @@ const getAccessRequestContactEmails = async () => {
   return [...accessRequestEmailRecipientsEmail, ...accessRequestRolesEmail];
 };
 
-
 const setAndSendPasswordExpiredEmail = async (user) => {
   //if the forcePasswordReset flag isn't set but the password has expired, set the flag
   if (user.passwordExpiresAt < new Date() && !user.forcePasswordReset) {
@@ -286,6 +293,7 @@ const checkPasswordSecurityViolations = ({ password, user }) => {
   const email = user.email;
   const firstName = user.firstName;
   const lastName = user.lastName;
+  const previousPasswords = user.metaData.previousPasswords || [];
 
   if (password.includes(email)) {
     passwordViolations.push("Password contains email address");
@@ -302,10 +310,34 @@ const checkPasswordSecurityViolations = ({ password, user }) => {
   }
 
   //TODO -- check if password contains any of previous 12 passwords
+  previousPasswords.forEach((oldPassword) => {
+    if (bcrypt.compareSync(password, oldPassword)) {
+      passwordViolations.push(
+        "Password cannot be the same as one of the previous passwords"
+      );
+    }
+  });
 
   return passwordViolations;
 };
 
+const setPreviousPasswords = async (user) => {
+  //get existing previous passwords
+  let previousPasswords = user.metaData.previousPasswords || [];
+
+  //add current password to the list
+  previousPasswords.push(user.hash);
+
+  //if there are more than 12 previous passwords, remove the oldest one
+  if (previousPasswords.length > 12) {
+    previousPasswords.shift();
+  }
+
+  user.metaData.previousPasswords = previousPasswords;
+
+  return user;
+};
+
 //Exports
 module.exports = {
   generateAccessToken,
@@ -321,4 +353,5 @@ module.exports = {
   checkPasswordSecurityViolations,
   getSupportContactEmails,
   getAccessRequestContactEmails,
+  setPreviousPasswords,
 };
