/api/user/reset-account-password (PATCH)

Account information like email addresses is generated with faker-js it is not real user information.

await global.api.user.ResetAccountPassword.patch(req)

Exceptions

These exceptions are thrown (NodeJS) or returned as JSON (HTTP) if you provide incorrect data or do not meet the requirements:

Exception	Circumstances
invalid-password	missing posted new-password
invalid-reset-code	invalid posted secret-code
invalid-secret-code	missing posted secret-code
invalid-username	missing posted username
invalid-username	invalid posted username

NodeJS source (view on github)

const crypto = require('crypto')
const dashboard = require('../../../../index.js')

module.exports = {
  auth: false,
  patch: async (req) => {
    if (!req.body || !req.body['secret-code']) {
      throw new Error('invalid-secret-code')
    }
    if (!req.body.username) {
      throw new Error('invalid-username')
    }
    if (!req.body.username || !req.body.username.length ||
      global.minimumUsernameLength > req.body.username.length) {
      throw new Error('invalid-username')
    }
    if (!req.body['new-password'] || !req.body['new-password'].length) {
      throw new Error('invalid-password')
    }
    if (global.minimumPasswordLength > req.body['new-password'].length) {
      throw new Error('invalid-password-length')
    }
    if (!req.body['secret-code'] || !req.body['secret-code'].length) {
      throw new Error('invalid-secret-code')
    }
    let dashboardEncryptionKey = global.dashboardEncryptionKey
    if (req.server) {
      dashboardEncryptionKey = req.server.dashboardEncryptionKey || dashboardEncryptionKey
    }
    const usernameHash = await dashboard.Hash.sha512Hash(req.body.username, dashboardEncryptionKey)
    const accountInfo = await dashboard.Storage.Account.findOne({
      where: {
        usernameHash,
        appid: req.appid || global.appid
      }
    })
    if (!accountInfo) {
      throw new Error('invalid-username')
    }
    const query = req.query
    req.query = {
      accountid: accountInfo.dataValues.accountid
    }
    const account = await global.api.administrator.Account.get(req)
    req.query = query
    if (!account) {
      throw new Error('invalid-username')
    }
    if (account.deletedAt) {
      throw new Error('invalid-account')
    }
    if (new Date(account.deletedAt).getTime() < new Date().getTime()) {
      throw new Error('invalid-account')
    }
    const secretCodeHash = await dashboard.Hash.sha512Hash(req.body['secret-code'], dashboardEncryptionKey)
    const codeInfo = await dashboard.Storage.ResetCode.findOne({
      where: {
        secretCodeHash,
        appid: req.appid || global.appid
      }
    })
    if (!codeInfo) {
      throw new Error('invalid-reset-code')
    }
    const passwordHash = await dashboard.Hash.bcryptHashHash(req.body['new-password'], dashboardEncryptionKey)
    await dashboard.Storage.Account.update({
      passwordHash,
      resetCodeLastUsedAt: new Date(),
      sessionKey: crypto.randomBytes(32).toString('hex'),
      sessionKeyLastResetAt: new Date(),
      passwordLastChangedAt: new Date(),
      sessionKeyNumber: account.sessionKeyNumber + 1
    }, {
      where: {
        accountid: accountInfo.dataValues.accountid,
        appid: req.appid || global.appid
      }
    })
    await dashboard.StorageCache.remove(codeInfo.dataValues.accountid)
    await dashboard.Storage.ResetCode.destroy({
      where: {
        codeid: codeInfo.dataValues.codeid,
        appid: req.appid || global.appid
      }
    })
    return true
  }
}

Test source (view on github)

/* eslint-env mocha */
const assert = require('assert')
const TestHelper = require('../../../../test-helper.js')

describe('/api/user/reset-account-password', () => {
  describe('exceptions', () => {
    describe('invalid-username', () => {
      it('missing posted username', async () => {
        const req = TestHelper.createRequest('/api/user/reset-account-password')
        req.body = {
          username: '',
          'new-password': 'password',
          'secret-code': 'code'
        }
        let errorMessage
        try {
          await req.patch()
        } catch (error) {
          errorMessage = error.message
        }
        assert.strictEqual(errorMessage, 'invalid-username')
      })

      it('invalid posted username', async () => {
        const req = TestHelper.createRequest('/api/user/reset-account-password')
        req.body = {
          username: 'invalid',
          'new-password': 'password',
          'secret-code': 'code'
        }
        let errorMessage
        try {
          await req.patch()
        } catch (error) {
          errorMessage = error.message
        }
        assert.strictEqual(errorMessage, 'invalid-username')
      })
    })

    describe('invalid-password', () => {
      it('missing posted new-password', async () => {
        const req = TestHelper.createRequest('/api/user/reset-account-password')
        req.body = {
          username: 'username',
          'new-password': '',
          'secret-code': 'code'
        }
        let errorMessage
        try {
          await req.patch()
        } catch (error) {
          errorMessage = error.message
        }
        assert.strictEqual(errorMessage, 'invalid-password')
      })
    })

    describe('invalid-secret-code', () => {
      it('missing posted secret-code', async () => {
        const req = TestHelper.createRequest('/api/user/reset-account-password')
        req.body = {
          username: 'username',
          'new-password': 'password'
        }
        let errorMessage
        try {
          await req.patch()
        } catch (error) {
          errorMessage = error.message
        }
        assert.strictEqual(errorMessage, 'invalid-secret-code')
      })
    })

    describe('invalid-reset-code', () => {
      it('invalid posted secret-code', async () => {
        const user = await TestHelper.createUser()
        const req = TestHelper.createRequest('/api/user/reset-account-password')
        req.body = {
          username: user.account.username,
          'new-password': 'password',
          'secret-code': 'invalid'
        }
        let errorMessage
        try {
          await req.patch()
        } catch (error) {
          errorMessage = error.message
        }
        assert.strictEqual(errorMessage, 'invalid-reset-code')
      })
    })
  })

  describe('returns', () => {
    it('boolean', async () => {
      const user = await TestHelper.createUser()
      const code = await TestHelper.createResetCode(user)
      const req = TestHelper.createRequest('/api/user/reset-account-password')
      req.body = {
        username: user.account.username,
        'new-password': 'new-password',
        'secret-code': code.code
      }
      req.filename = __filename
      req.saveResponse = true
      const resetPassword = await req.patch()
      assert.strictEqual(resetPassword, true)
    })
  })
})

Top of page

Dashboard API explorer

Dashboard

MaxMind GeoIP

Organizations

Stripe Connect

Stripe Subscriptions

OAuth

Example app

Example subscription app

/api/user/reset-account-password (PATCH)

Exceptions

NodeJS source (view on github)

Test source (view on github)