NMDSdevopsServiceAdm · kapppa-joe · Jan 7, 2025 · Dec 3, 2024 · Dec 3, 2024 · Dec 4, 2024
diff --git a/backend/migrations/20241216140000-addInvalidFindUsernameAttemptsColumnToLoginTable.js b/backend/migrations/20241216140000-addInvalidFindUsernameAttemptsColumnToLoginTable.js
@@ -0,0 +1,17 @@
+'use strict';
+
+const table = {
+  tableName: 'Login',
+  schema: 'cqc',
+};
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+  async up(queryInterface, Sequelize) {
+    return queryInterface.addColumn(table, 'InvalidFindUsernameAttempts', { type: Sequelize.DataTypes.INTEGER });
+  },
+
+  async down(queryInterface) {
+    return queryInterface.removeColumn(table, 'InvalidFindUsernameAttempts');
+  },
+};
diff --git a/backend/server/data/constants.js b/backend/server/data/constants.js
@@ -0,0 +1,9 @@
+const UserAccountStatus = {
+  Locked: 'Locked',
+  Pending: 'PENDING',
+};
+
+const MaxLoginAttempts = 10;
+const MaxFindUsernameAttempts = 5;
+
+module.exports = { UserAccountStatus, MaxLoginAttempts, MaxFindUsernameAttempts };
diff --git a/backend/server/models/login.js b/backend/server/models/login.js
@@ -1,5 +1,6 @@
 /* jshint indent: 2 */
 var bcrypt = require('bcrypt-nodejs');
+const { MaxLoginAttempts, MaxFindUsernameAttempts, UserAccountStatus } = require('../data/constants');
 
 module.exports = function (sequelize, DataTypes) {
   const Login = sequelize.define(
@@ -39,6 +40,11 @@ module.exports = function (sequelize, DataTypes) {
         allowNull: false,
         field: '"InvalidAttempt"',
       },
+      invalidFindUsernameAttempts: {
+        type: DataTypes.INTEGER,
+        allowNull: true,
+        field: '"InvalidFindUsernameAttempts"',
+      },
       firstLogin: {
         type: DataTypes.DATE,
         allowNull: true,
@@ -132,5 +138,47 @@ module.exports = function (sequelize, DataTypes) {
     });
   };
 
+  Login.prototype.recordInvalidFindUsernameAttempts = async function (transaction) {
+    const loginAccount = await Login.findByPk(this.id);
+
+    const previousAttempts = loginAccount.invalidFindUsernameAttempts ?? 0;
+    const updatedFields = {
+      invalidFindUsernameAttempts: previousAttempts + 1,
+    };
+    const options = transaction ? { transaction } : {};
+
+    return this.update(updatedFields, options);
+  };
+
+  Login.prototype.lockAccount = async function (transaction) {
+    const updatedFields = {
+      isActive: false,
+      status: UserAccountStatus.Locked,
+    };
+
+    const options = transaction ? { transaction } : {};
+
+    return this.update(updatedFields, options);
+  };
+
+  Login.prototype.unlockAccount = async function (transaction) {
+    const loginAccount = await Login.findByPk(this.id);
+    const updatedFields = {
+      isActive: true,
+      status: null,
+    };
+    const options = transaction ? { transaction } : {};
+
+    if (loginAccount.invalidAttempt >= MaxLoginAttempts) {
+      updatedFields.invalidAttempt = MaxLoginAttempts - 1;
+    }
+
+    if (loginAccount.invalidFindUsernameAttempts >= MaxFindUsernameAttempts) {
+      updatedFields.invalidFindUsernameAttempts = MaxFindUsernameAttempts - 1;
+    }
+
+    return this.update(updatedFields, options);
+  };
+
   return Login;
 };
diff --git a/backend/server/models/user.js b/backend/server/models/user.js
@@ -1,6 +1,8 @@
 /* jshint indent: 2 */
 const { Op } = require('sequelize');
+const { padEnd } = require('lodash');
 const { sanitise } = require('../utils/db');
+const { UserAccountStatus } = require('../data/constants');
 
 module.exports = function (sequelize, DataTypes) {
   const User = sequelize.define(
@@ -486,5 +488,59 @@ module.exports = function (sequelize, DataTypes) {
     });
   };
 
+  User.findByRelevantInfo = async function ({ name, workplaceId, postcode, email }) {
+    if (!workplaceId && !postcode) {
+      return null;
+    }
+
+    const workplaceIdWithTrailingSpace = padEnd(workplaceId ?? '', 8, ' ');
+    const establishmentWhereClause = workplaceId
+      ? { NmdsID: [workplaceId, workplaceIdWithTrailingSpace] }
+      : { postcode: postcode };
+
+    const query = {
+      attributes: ['uid', 'SecurityQuestionValue'],
+      where: {
+        Archived: false,
+        FullNameValue: name,
+        EmailValue: email,
+        SecurityQuestionValue: { [Op.ne]: null },
+        SecurityQuestionAnswerValue: { [Op.ne]: null },
+      },
+      include: [
+        {
+          model: sequelize.models.establishment,
+          where: establishmentWhereClause,
+          required: true,
+          attributes: [],
+        },
+        {
+          model: sequelize.models.login,
+          required: true,
+          attributes: ['status'],
+        },
+      ],
+      raw: true,
+    };
+
+    const allFoundUsers = await this.findAll(query);
+
+    if (!allFoundUsers?.length || allFoundUsers.length === 0) {
+      return null;
+    }
+
+    if (allFoundUsers.length > 1) {
+      return { multipleAccountsFound: true };
+    }
+
+    const userFound = allFoundUsers[0];
+
+    if (userFound && userFound['login.status'] === UserAccountStatus.Locked) {
+      return { accountLocked: true };
+    }
+
+    return userFound;
+  };
+
   return User;
 };
diff --git a/backend/server/routes/admin/unlock-account/index.js b/backend/server/routes/admin/unlock-account/index.js
@@ -25,11 +25,7 @@ const unlockAccount = async (req, res) => {
       // Make sure we have the matching user
       if (login && login.id && username === login.username) {
         try {
-          const updateduser = await login.update({
-            isActive: true,
-            invalidAttempt: 9,
-            status: null,
-          });
+          const updateduser = await login.unlockAccount();
           if (updateduser) {
             res.status(200);
             return res.json({ status: '0', message: 'User has been set as active' });

diff --git a/backend/server/routes/login.js b/backend/server/routes/login.js
@@ -22,6 +22,7 @@ const { adminRoles } = require('../utils/adminUtils');
 const sendMail = require('../utils/email/notify-email').sendPasswordReset;
 
 const { authLimiter } = require('../utils/middleware/rateLimiting');
+const { MaxLoginAttempts, UserAccountStatus } = require('../data/constants');
 
 const tribalHashCompare = (password, salt, expectedHash) => {
   const hash = crypto.createHash('sha256');
@@ -197,13 +198,13 @@ router.post('/', async (req, res) => {
 
     if (establishmentUser) {
       //check weather posted user is locked or pending
-      if (!establishmentUser.isActive && establishmentUser.status === 'Locked') {
+      if (!establishmentUser.isActive && establishmentUser.status === UserAccountStatus.Locked) {
         //check for locked status, if locked then return with 409 error
         console.error('POST .../login failed: User status is locked');
         return res.status(409).send({
           message: 'Authentication failed.',
         });
-      } else if (!establishmentUser.isActive && establishmentUser.status === 'PENDING') {
+      } else if (!establishmentUser.isActive && establishmentUser.status === UserAccountStatus.Pending) {
         //check for Pending status, if Pending then return with 403 error
         console.error('POST .../login failed: User status is pending');
         return res.status(405).send({
@@ -290,6 +291,7 @@ router.post('/', async (req, res) => {
             // reset the number of failed attempts on any successful login
             const loginUpdate = {
               invalidAttempt: 0,
+              invalidFindUsernameAttempts: 0,
               lastLogin: new Date(),
             };
 
@@ -353,19 +355,17 @@ router.post('/', async (req, res) => {
             .json(response);
         } else {
           await models.sequelize.transaction(async (t) => {
-            const maxNumberOfFailedAttempts = 10;
-
             // increment the number of failed attempts by one
             const loginUpdate = {
               invalidAttempt: establishmentUser.invalidAttempt + 1,
             };
             await establishmentUser.update(loginUpdate, { transaction: t });
 
-            if (establishmentUser.invalidAttempt === maxNumberOfFailedAttempts + 1) {
+            if (establishmentUser.invalidAttempt === MaxLoginAttempts + 1) {
               // lock the account
               const loginUpdate = {
                 isActive: false,
-                status: 'Locked',
+                status: UserAccountStatus.Locked,
               };
               await establishmentUser.update(loginUpdate, { transaction: t });
 
@@ -404,8 +404,7 @@ router.post('/', async (req, res) => {
             const auditEvent = {
               userFk: establishmentUser.user.id,
               username: establishmentUser.username,
-              type:
-                establishmentUser.invalidAttempt >= maxNumberOfFailedAttempts + 1 ? 'loginWhileLocked' : 'loginFailed',
+              type: establishmentUser.invalidAttempt >= MaxLoginAttempts + 1 ? 'loginWhileLocked' : 'loginFailed',
               property: 'password',
               event: {},
             };

diff --git a/backend/server/routes/registration.js b/backend/server/routes/registration.js
@@ -1,14 +1,15 @@
 const express = require('express');
 const router = express.Router();
 const { v4: uuidv4 } = require('uuid');
-uuidv4();
 const isLocal = require('../utils/security/isLocalTest').isLocal;
 const { registerAccount } = require('./registration/registerAccount');
 const models = require('../models');
 
 const generateJWT = require('../utils/security/generateJWT');
 const sendMail = require('../utils/email/notify-email').sendPasswordReset;
 const { authLimiter } = require('../utils/middleware/rateLimiting');
+const { findUserAccount } = require('./registration/findUserAccount');
+const { findUsername } = require('./registration/findUsername');
 
 router.use('/establishmentExistsCheck', require('./registration/establishmentExistsCheck'));
 
@@ -368,4 +369,8 @@ router.post('/validateResetPassword', async (req, res) => {
   }
 });
 
+router.post('/findUserAccount', findUserAccount);
+
+router.post('/findUsername', findUsername);
+
 module.exports = router;
diff --git a/backend/server/routes/registration/findUserAccount.js b/backend/server/routes/registration/findUserAccount.js
@@ -0,0 +1,97 @@
+const { isEmpty } = require('lodash');
+const { sanitisePostcode } = require('../../utils/postcodeSanitizer');
+const limitFindUserAccountUtils = require('../../utils/limitFindUserAccountUtils');
+const HttpError = require('../../utils/errors/httpError');
+const models = require('../../models/index');
+const { MaxFindUsernameAttempts } = require('../../data/constants');
+
+class FindUserAccountException extends HttpError {}
+
+const findUserAccount = async (req, res) => {
+  try {
+    await validateRequest(req);
+
+    const { name, workplaceIdOrPostcode, email } = req.body;
+    let userFound = null;
+
+    const postcode = sanitisePostcode(workplaceIdOrPostcode);
+    if (postcode) {
+      userFound = await models.user.findByRelevantInfo({ name, postcode, email });
+    }
+
+    userFound =
+      userFound ?? (await models.user.findByRelevantInfo({ name, workplaceId: workplaceIdOrPostcode, email }));
+
+    if (!userFound) {
+      const failedAttemptsCount = await limitFindUserAccountUtils.recordFailedAttempt(req.ip);
+      const remainingAttempts = MaxFindUsernameAttempts - failedAttemptsCount;
+
+      return sendNotFoundResponse(res, remainingAttempts);
+    }
+
+    if (userFound.multipleAccountsFound) {
+      return sendMultipleAccountsFoundResponse(res);
+    }
+
+    if (userFound.accountLocked) {
+      throw new FindUserAccountException('User account is locked', 423);
+    }
+
+    return sendSuccessResponse(res, userFound);
+  } catch (err) {
+    return sendErrorResponse(res, err);
+  }
+};
+
+const validateRequest = async (req) => {
+  if (requestBodyIsInvalid(req)) {
+    throw new FindUserAccountException('Invalid request', 400);
+  }
+
+  if (await ipAddressReachedMaxAttempt(req)) {
+    throw new FindUserAccountException('Reached maximum retry', 429);
+  }
+};
+
+const requestBodyIsInvalid = (req) => {
+  if (!req.body) {
+    return true;
+  }
+  const { name, workplaceIdOrPostcode, email } = req.body;
+
+  return [name, workplaceIdOrPostcode, email].some((field) => isEmpty(field));
+};
+
+const ipAddressReachedMaxAttempt = async (req) => {
+  const attemptsSoFar = (await limitFindUserAccountUtils.getNumberOfFailedAttempts(req.ip)) ?? 0;
+  return attemptsSoFar >= MaxFindUsernameAttempts;
+};
+
+const sendSuccessResponse = (res, userFound) => {
+  const { uid, SecurityQuestionValue } = userFound;
+  return res.status(200).json({
+    status: 'AccountFound',
+    accountUid: uid,
+    securityQuestion: SecurityQuestionValue,
+  });
+};
+
+const sendNotFoundResponse = (res, remainingAttempts = 0) => {
+  return res.status(200).json({ status: 'AccountNotFound', remainingAttempts });
+};
+
+const sendMultipleAccountsFoundResponse = (res) => {
+  return res.status(200).json({ status: 'MultipleAccountsFound' });
+};
+
+const sendErrorResponse = (res, err) => {
+  console.error('registration POST findUserAccount - failed', err);
+
+  if (err instanceof FindUserAccountException) {
+    return res.status(err.statusCode).json({ message: err.message });
+  }
+
+  return res.status(500).send('Internal server error');
+};
+
+module.exports = { findUserAccount, FindUserAccountException };