[BUGFIX] Rendre plus résistant le changement de mot de passe d'un utilisateur côté API, pour ne plus renvoyer d’erreur 500 (PIX-14971)

 #10413

Author: pix-service-auto-merge

api/db/database-builder/factory/build-reset-password-demand.js

@@ -5,12 +5,16 @@ const buildResetPasswordDemand = function ({
   email = '[email protected]',
   temporaryKey = 'ABCD12345',
   used = false,
+  createdAt,
+  updatedAt,
 } = {}) {
   const values = {
     id,
     email,
     temporaryKey,
     used,
+    createdAt,
+    updatedAt,
   };
   return databaseBuffer.pushInsertable({
     tableName: 'reset-password-demands',

api/src/identity-access-management/domain/services/reset-password.service.js

@@ -15,36 +15,36 @@ const generateTemporaryKey = async function () {
   );
 };
 
-const invalidateOldResetPasswordDemand = function (userEmail, resetPasswordDemandRepository) {
-  return resetPasswordDemandRepository.markAsBeingUsed(userEmail);
+const invalidateOldResetPasswordDemandsByEmail = function (userEmail, resetPasswordDemandRepository) {
+  return resetPasswordDemandRepository.markAllAsUsedByEmail(userEmail);
 };
 
 const verifyDemand = function (temporaryKey, resetPasswordDemandRepository) {
   return resetPasswordDemandRepository.findByTemporaryKey(temporaryKey);
 };
 
 /**
- * @callback hasUserAPasswordResetDemandInProgress
  * @param {string} email
  * @param {string} temporaryKey
  * @param {ResetPasswordDemandRepository} resetPasswordDemandRepository
  * @return {Promise<*>}
+ * @throws PasswordResetDemandNotFoundError
  */
-const hasUserAPasswordResetDemandInProgress = function (email, temporaryKey, resetPasswordDemandRepository) {
-  return resetPasswordDemandRepository.findByUserEmail(email, temporaryKey);
+const invalidateResetPasswordDemand = function (email, temporaryKey, resetPasswordDemandRepository) {
+  return resetPasswordDemandRepository.markAsUsed(email, temporaryKey);
 };
 
 /**
  * @typedef {Object} ResetPasswordService
  * @property generateTemporaryKey
- * @property hasUserAPasswordResetDemandInProgress
- * @property invalidateOldResetPasswordDemand
+ * @property invalidateResetPasswordDemand
+ * @property invalidateOldResetPasswordDemandsByEmail
  * @property verifyDemand
  */
 const resetPasswordService = {
   generateTemporaryKey,
-  hasUserAPasswordResetDemandInProgress,
-  invalidateOldResetPasswordDemand,
+  invalidateResetPasswordDemand,
+  invalidateOldResetPasswordDemandsByEmail,
   verifyDemand,
 };
 export { resetPasswordService };

api/src/identity-access-management/domain/usecases/update-user-password.usecase.js

@@ -1,3 +1,4 @@
+import { withTransaction } from '../../../shared/domain/DomainTransaction.js';
 import { UserNotAuthorizedToUpdatePasswordError } from '../../../shared/domain/errors.js';
 
 /**
@@ -14,7 +15,7 @@ import { UserNotAuthorizedToUpdatePasswordError } from '../../../shared/domain/e
  * @return {Promise<void>}
  * @throws {UserNotAuthorizedToUpdatePasswordError}
  */
-export const updateUserPassword = async function ({
+export const updateUserPassword = withTransaction(async function ({
   userId,
   password,
   temporaryKey,
@@ -24,25 +25,20 @@ export const updateUserPassword = async function ({
   userRepository,
   resetPasswordDemandRepository,
 }) {
-  const hashedPassword = await cryptoService.hashPassword(password);
   const user = await userRepository.get(userId);
-
   if (!user.email) {
     throw new UserNotAuthorizedToUpdatePasswordError();
   }
 
-  await resetPasswordService.hasUserAPasswordResetDemandInProgress(
-    user.email,
-    temporaryKey,
-    resetPasswordDemandRepository,
-  );
+  await resetPasswordService.invalidateResetPasswordDemand(user.email, temporaryKey, resetPasswordDemandRepository);
 
+  const hashedPassword = await cryptoService.hashPassword(password);
   await authenticationMethodRepository.updateChangedPassword({
     userId: user.id,
     hashedPassword,
   });
-  await resetPasswordService.invalidateOldResetPasswordDemand(user.email, resetPasswordDemandRepository);
 
-  user.markEmailAsValid();
-  await userRepository.update(user.mapToDatabaseDto());
-};
+  await resetPasswordService.invalidateOldResetPasswordDemandsByEmail(user.email, resetPasswordDemandRepository);
+
+  await userRepository.updateEmailConfirmed(userId);
+});

api/src/identity-access-management/infrastructure/repositories/reset-password-demand.repository.js

@@ -21,47 +21,46 @@ const create = async function ({ email, temporaryKey }) {
 
 /**
  * @param {string} email
- */
-const markAsBeingUsed = async function (email) {
-  const knexConn = DomainTransaction.getConnection();
-
-  await knexConn(RESET_PASSWORD_DEMANDS_TABLE_NAME)
-    .whereRaw('LOWER("email") = LOWER(?)', email)
-    .update({ used: true, updatedAt: new Date() });
-};
-
-/**
  * @param {string} temporaryKey
  *
- * @returns {ResetPasswordDemand} retrieved reset password demand
+ * @returns {Promise<void>}
+ * @throws PasswordResetDemandNotFoundError when resetPasswordDemand has been already used or does not exist
  */
-const findByTemporaryKey = async function (temporaryKey) {
+const markAsUsed = async function (email, temporaryKey) {
   const knexConn = DomainTransaction.getConnection();
 
   const resetPasswordDemand = await knexConn(RESET_PASSWORD_DEMANDS_TABLE_NAME)
-    .select('*')
+    .whereRaw('LOWER("email") = LOWER(?)', email)
     .where({ temporaryKey, used: false })
-    .first();
+    .update({ used: true, updatedAt: new Date() });
 
   if (!resetPasswordDemand) {
     throw new PasswordResetDemandNotFoundError();
   }
-
-  return _toDomain(resetPasswordDemand);
 };
 
 /**
  * @param {string} email
+ */
+const markAllAsUsedByEmail = async function (email) {
+  const knexConn = DomainTransaction.getConnection();
+
+  await knexConn(RESET_PASSWORD_DEMANDS_TABLE_NAME)
+    .whereRaw('LOWER("email") = LOWER(?)', email)
+    .where({ used: false })
+    .update({ used: true, updatedAt: new Date() });
+};
+
+/**
  * @param {string} temporaryKey
  *
  * @returns {ResetPasswordDemand} retrieved reset password demand
  */
-const findByUserEmail = async function (email, temporaryKey) {
+const findByTemporaryKey = async function (temporaryKey) {
   const knexConn = DomainTransaction.getConnection();
 
   const resetPasswordDemand = await knexConn(RESET_PASSWORD_DEMANDS_TABLE_NAME)
     .select('*')
-    .whereRaw('LOWER("email") = LOWER(?)', email)
     .where({ temporaryKey, used: false })
     .first();
 
@@ -83,18 +82,19 @@ const removeAllByEmail = async function (email) {
 
 /**
  * @typedef {Object} ResetPasswordDemandRepository
+ * @property {function} markAsUsed
  * @property {function} create
  * @property {function} deleteByUserEmail
  * @property {function} findByTemporaryKey
- * @property {function} findByUserEmail
- * @property {function} markAsBeingUsed
+ * @property {function} getByUserEmail
+ * @property {function} markAllAsUsedByEmail
  */
 const resetPasswordDemandRepository = {
+  markAsUsed,
   create,
   removeAllByEmail,
   findByTemporaryKey,
-  findByUserEmail,
-  markAsBeingUsed,
+  markAllAsUsedByEmail,
 };
 
 export { resetPasswordDemandRepository };

api/src/identity-access-management/infrastructure/repositories/user.repository.js

@@ -266,6 +266,12 @@ const updateEmail = async function ({ id, email }) {
   return new User(updatedUserEmail);
 };
 
+const updateEmailConfirmed = async function (userId) {
+  const knexConn = DomainTransaction.getConnection();
+  const updatedAt = new Date();
+  await knexConn('users').where({ id: userId }).update({ emailConfirmedAt: updatedAt, updatedAt });
+};
+
 const updateUserDetailsForAdministration = async function ({ id, userAttributes }, { preventUpdatedAt } = {}) {
   const knexConn = DomainTransaction.getConnection();
 
@@ -435,6 +441,7 @@ const updateLastDataProtectionPolicySeenAt = async function ({ userId }) {
  * @property {function} isUsernameAvailable
  * @property {function} update
  * @property {function} updateEmail
+ * @property {function} updateEmailConfirmed
  * @property {function} updateHasSeenAssessmentInstructionsToTrue
  * @property {function} updateHasSeenChallengeTooltip
  * @property {function} updateHasSeenNewDashboardInfoToTrue
@@ -467,6 +474,7 @@ export {
   isUsernameAvailable,
   update,
   updateEmail,
+  updateEmailConfirmed,
   updateHasSeenAssessmentInstructionsToTrue,
   updateHasSeenChallengeTooltip,
   updateHasSeenNewDashboardInfoToTrue,