packages/lib/server-only/user/reset-password.ts

import { compare, hash } from '@node-rs/bcrypt';
import { UserSecurityAuditLogType } from '@prisma/client';

import { prisma } from '@documenso/prisma';

import { SALT_ROUNDS } from '../../constants/auth';
import { AppError, AppErrorCode } from '../../errors/app-error';
import { jobsClient } from '../../jobs/client';
import type { RequestMetadata } from '../../universal/extract-request-metadata';

export type ResetPasswordOptions = {
  token: string;
  password: string;
  requestMetadata?: RequestMetadata;
};

export const resetPassword = async ({ token, password, requestMetadata }: ResetPasswordOptions) => {
  if (!token) {
    throw new AppError('INVALID_TOKEN');
  }

  const foundToken = await prisma.passwordResetToken.findFirst({
    where: {
      token,
    },
    include: {
      user: true,
    },
  });

  if (!foundToken) {
    throw new AppError('INVALID_TOKEN');
  }

  const now = new Date();

  if (now > foundToken.expiry) {
    throw new AppError(AppErrorCode.EXPIRED_CODE);
  }

  const isSamePassword = await compare(password, foundToken.user.password || '');

  if (isSamePassword) {
    throw new AppError('SAME_PASSWORD');
  }

  const hashedPassword = await hash(password, SALT_ROUNDS);

  await prisma.$transaction(async (tx) => {
    await tx.user.update({
      where: {
        id: foundToken.userId,
      },
      data: {
        password: hashedPassword,
      },
    });

    await tx.passwordResetToken.deleteMany({
      where: {
        userId: foundToken.userId,
      },
    });

    await tx.userSecurityAuditLog.create({
      data: {
        userId: foundToken.userId,
        type: UserSecurityAuditLogType.PASSWORD_RESET,
        userAgent: requestMetadata?.userAgent,
        ipAddress: requestMetadata?.ipAddress,
      },
    });

    await jobsClient.triggerJob({
      name: 'send.password.reset.success.email',
      payload: {
        userId: foundToken.userId,
      },
    });
  });
};
chore: remove bcrypt 2024-03-07 18:30:22 +11:00			`import { compare, hash } from '@node-rs/bcrypt';`
feat: migrate nextjs to rr7 2025-01-02 15:33:37 +11:00			`import { UserSecurityAuditLogType } from '@prisma/client';`
feat: add reset functionality 2023-09-18 14:03:33 +00:00
			`import { prisma } from '@documenso/prisma';`

			`import { SALT_ROUNDS } from '../../constants/auth';`
fix: refactor trpc errors (#1511) 2024-12-06 16:01:24 +09:00			`import { AppError, AppErrorCode } from '../../errors/app-error';`
feat: migrate nextjs to rr7 2025-01-02 15:33:37 +11:00			`import { jobsClient } from '../../jobs/client';`
feat: add user security audit logs 2024-01-30 17:31:27 +11:00			`import type { RequestMetadata } from '../../universal/extract-request-metadata';`
feat: add reset functionality 2023-09-18 14:03:33 +00:00
			`export type ResetPasswordOptions = {`
			`token: string;`
			`password: string;`
feat: add user security audit logs 2024-01-30 17:31:27 +11:00			`requestMetadata?: RequestMetadata;`
feat: add reset functionality 2023-09-18 14:03:33 +00:00			`};`

feat: add user security audit logs 2024-01-30 17:31:27 +11:00			`export const resetPassword = async ({ token, password, requestMetadata }: ResetPasswordOptions) => {`
feat: add reset functionality 2023-09-18 14:03:33 +00:00			`if (!token) {`
fix: refactor trpc errors (#1511) 2024-12-06 16:01:24 +09:00			`throw new AppError('INVALID_TOKEN');`
feat: add reset functionality 2023-09-18 14:03:33 +00:00			`}`

fix: add layout and minor updates 2023-09-19 13:34:54 +00:00			`const foundToken = await prisma.passwordResetToken.findFirst({`
feat: add reset functionality 2023-09-18 14:03:33 +00:00			`where: {`
			`token,`
			`},`
			`include: {`
fix: refactor prisma relations (#1581) 2025-01-13 13:41:53 +11:00			`user: true,`
feat: add reset functionality 2023-09-18 14:03:33 +00:00			`},`
			`});`

			`if (!foundToken) {`
fix: refactor trpc errors (#1511) 2024-12-06 16:01:24 +09:00			`throw new AppError('INVALID_TOKEN');`
feat: add reset functionality 2023-09-18 14:03:33 +00:00			`}`

			`const now = new Date();`

			`if (now > foundToken.expiry) {`
fix: refactor trpc errors (#1511) 2024-12-06 16:01:24 +09:00			`throw new AppError(AppErrorCode.EXPIRED_CODE);`
feat: add reset functionality 2023-09-18 14:03:33 +00:00			`}`

fix: refactor prisma relations (#1581) 2025-01-13 13:41:53 +11:00			`const isSamePassword = await compare(password, foundToken.user.password \|\| '');`
feat: add reset functionality 2023-09-18 14:03:33 +00:00
			`if (isSamePassword) {`
fix: refactor trpc errors (#1511) 2024-12-06 16:01:24 +09:00			`throw new AppError('SAME_PASSWORD');`
feat: add reset functionality 2023-09-18 14:03:33 +00:00			`}`

			`const hashedPassword = await hash(password, SALT_ROUNDS);`

feat: migrate nextjs to rr7 2025-01-02 15:33:37 +11:00			`await prisma.$transaction(async (tx) => {`
			`await tx.user.update({`
feat: add reset functionality 2023-09-18 14:03:33 +00:00			`where: {`
			`id: foundToken.userId,`
			`},`
			`data: {`
			`password: hashedPassword,`
			`},`
feat: migrate nextjs to rr7 2025-01-02 15:33:37 +11:00			`});`

			`await tx.passwordResetToken.deleteMany({`
feat: add reset functionality 2023-09-18 14:03:33 +00:00			`where: {`
			`userId: foundToken.userId,`
			`},`
feat: migrate nextjs to rr7 2025-01-02 15:33:37 +11:00			`});`

			`await tx.userSecurityAuditLog.create({`
feat: add user security audit logs 2024-01-30 17:31:27 +11:00			`data: {`
			`userId: foundToken.userId,`
			`type: UserSecurityAuditLogType.PASSWORD_RESET,`
			`userAgent: requestMetadata?.userAgent,`
			`ipAddress: requestMetadata?.ipAddress,`
			`},`
feat: migrate nextjs to rr7 2025-01-02 15:33:37 +11:00			`});`
feat: add reset functionality 2023-09-18 14:03:33 +00:00
feat: migrate nextjs to rr7 2025-01-02 15:33:37 +11:00			`await jobsClient.triggerJob({`
			`name: 'send.password.reset.success.email',`
			`payload: {`
			`userId: foundToken.userId,`
			`},`
			`});`
			`});`
feat: add reset functionality 2023-09-18 14:03:33 +00:00			`};`