packages/lib/server-only/user/update-password.ts

import { compare, hash } from '@node-rs/bcrypt';
import { UserSecurityAuditLogType } from '@prisma/client';

import { SALT_ROUNDS } from '@documenso/lib/constants/auth';
import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
import { prisma } from '@documenso/prisma';

import { AppError } from '../../errors/app-error';

export type UpdatePasswordOptions = {
  userId: number;
  password: string;
  currentPassword: string;
  requestMetadata?: RequestMetadata;
};

export const updatePassword = async ({
  userId,
  password,
  currentPassword,
  requestMetadata,
}: UpdatePasswordOptions) => {
  // Existence check
  const user = await prisma.user.findFirstOrThrow({
    where: {
      id: userId,
    },
  });

  if (!user.password) {
    throw new AppError('NO_PASSWORD');
  }

  const isCurrentPasswordValid = await compare(currentPassword, user.password);
  if (!isCurrentPasswordValid) {
    throw new AppError('INCORRECT_PASSWORD');
  }

  // Compare the new password with the old password
  const isSamePassword = await compare(password, user.password);
  if (isSamePassword) {
    throw new AppError('SAME_PASSWORD');
  }

  const hashedNewPassword = await hash(password, SALT_ROUNDS);

  return await prisma.$transaction(async (tx) => {
    await tx.userSecurityAuditLog.create({
      data: {
        userId,
        type: UserSecurityAuditLogType.PASSWORD_UPDATE,
        userAgent: requestMetadata?.userAgent,
        ipAddress: requestMetadata?.ipAddress,
      },
    });

    return await tx.user.update({
      where: {
        id: userId,
      },
      data: {
        password: hashedNewPassword,
      },
    });
  });
};
chore: remove bcrypt 2024-03-07 18:30:22 +11:00			`import { compare, hash } from '@node-rs/bcrypt';`
feat: migrate nextjs to rr7 2025-01-02 15:33:37 +11:00			`import { UserSecurityAuditLogType } from '@prisma/client';`
wip: refresh design 2023-06-09 18:21:18 +10:00
feat: add user security audit logs 2024-01-30 17:31:27 +11:00			`import { SALT_ROUNDS } from '@documenso/lib/constants/auth';`
			`import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';`
wip: refresh design 2023-06-09 18:21:18 +10:00			`import { prisma } from '@documenso/prisma';`

fix: refactor trpc errors (#1511) 2024-12-06 16:01:24 +09:00			`import { AppError } from '../../errors/app-error';`

wip: refresh design 2023-06-09 18:21:18 +10:00			`export type UpdatePasswordOptions = {`
			`userId: number;`
			`password: string;`
feat: require old password for password reset (#488) * feat: require old password for password reset 2023-10-04 09:53:57 +05:30			`currentPassword: string;`
feat: add user security audit logs 2024-01-30 17:31:27 +11:00			`requestMetadata?: RequestMetadata;`
wip: refresh design 2023-06-09 18:21:18 +10:00			`};`

feat: require old password for password reset (#488) * feat: require old password for password reset 2023-10-04 09:53:57 +05:30			`export const updatePassword = async ({`
			`userId,`
			`password,`
			`currentPassword,`
feat: add user security audit logs 2024-01-30 17:31:27 +11:00			`requestMetadata,`
feat: require old password for password reset (#488) * feat: require old password for password reset 2023-10-04 09:53:57 +05:30			`}: UpdatePasswordOptions) => {`
wip: refresh design 2023-06-09 18:21:18 +10:00			`// Existence check`
feat: prevent a user from updating password with the same password 2023-08-30 03:22:47 +00:00			`const user = await prisma.user.findFirstOrThrow({`
wip: refresh design 2023-06-09 18:21:18 +10:00			`where: {`
			`id: userId,`
			`},`
			`});`

feat: require old password for password reset (#488) * feat: require old password for password reset 2023-10-04 09:53:57 +05:30			`if (!user.password) {`
fix: refactor trpc errors (#1511) 2024-12-06 16:01:24 +09:00			`throw new AppError('NO_PASSWORD');`
feat: require old password for password reset (#488) * feat: require old password for password reset 2023-10-04 09:53:57 +05:30			`}`
wip: refresh design 2023-06-09 18:21:18 +10:00
feat: require old password for password reset (#488) * feat: require old password for password reset 2023-10-04 09:53:57 +05:30			`const isCurrentPasswordValid = await compare(currentPassword, user.password);`
			`if (!isCurrentPasswordValid) {`
fix: refactor trpc errors (#1511) 2024-12-06 16:01:24 +09:00			`throw new AppError('INCORRECT_PASSWORD');`
feat: require old password for password reset (#488) * feat: require old password for password reset 2023-10-04 09:53:57 +05:30			`}`
feat: prevent a user from updating password with the same password 2023-08-30 03:22:47 +00:00
feat: require old password for password reset (#488) * feat: require old password for password reset 2023-10-04 09:53:57 +05:30			`// Compare the new password with the old password`
			`const isSamePassword = await compare(password, user.password);`
			`if (isSamePassword) {`
fix: refactor trpc errors (#1511) 2024-12-06 16:01:24 +09:00			`throw new AppError('SAME_PASSWORD');`
feat: prevent a user from updating password with the same password 2023-08-30 03:22:47 +00:00			`}`

feat: require old password for password reset (#488) * feat: require old password for password reset 2023-10-04 09:53:57 +05:30			`const hashedNewPassword = await hash(password, SALT_ROUNDS);`

feat: add user security audit logs 2024-01-30 17:31:27 +11:00			`return await prisma.$transaction(async (tx) => {`
			`await tx.userSecurityAuditLog.create({`
			`data: {`
			`userId,`
			`type: UserSecurityAuditLogType.PASSWORD_UPDATE,`
			`userAgent: requestMetadata?.userAgent,`
			`ipAddress: requestMetadata?.ipAddress,`
			`},`
			`});`
wip: refresh design 2023-06-09 18:21:18 +10:00
feat: add user security audit logs 2024-01-30 17:31:27 +11:00			`return await tx.user.update({`
			`where: {`
			`id: userId,`
			`},`
			`data: {`
			`password: hashedNewPassword,`
			`},`
			`});`
			`});`
wip: refresh design 2023-06-09 18:21:18 +10:00			`};`