feat(#9547): add password change feature on first time login

api/resources/translations/messages-en.properties

@@ -400,6 +400,12 @@ bulkdelete.confirm.title = Delete record?
 bulkdelete.confirm.title.plural = Delete selected records?
 call = Call
 case_id = Case ID
+change.password.title = Change your password
+change.password.hint = Use uppercase letters, numbers, and special characters.
+change.password.new.password = New Password
+change.password.confirm.password = Confirm password
+change.password.submit = Change password
+change.password.required = Password and Confirm Password fields are required
 child_birth_date = Child birth date
 child_birth_outcome = Child birth outcome
 child_birth_weight = Child birth weight

api/resources/translations/messages-es.properties

@@ -400,6 +400,12 @@ bulkdelete.confirm.title = ¿Eliminar el registro?
 bulkdelete.confirm.title.plural = ¿Eliminar registros seleccionados?
 call = Llamar
 case_id = Identificación del caso
+change.password.title = Cambia tu contraseña
+change.password.hint = Utilice letras mayúsculas, números y caracteres especiales..
+change.password.new.password = Nueva contraseña
+change.password.confirm.password = Confirmar Contraseña
+change.password.submit = Cambiar la contraseña
+change.password.required = Los campos Contraseña y Confirmar contraseña son obligatorios
 child_birth_date = Fecha de nacimiento del niño
 child_birth_outcome = Resultado del nacimiento del niño
 child_birth_weight = Peso del niño al nacer

api/src/auth.js

@@ -59,7 +59,12 @@ module.exports = {
       .then(auth => {
         if (auth?.userCtx?.name) {
           req.headers['X-Medic-User'] = auth.userCtx.name;
-          return auth.userCtx;
+          return db.users
+            .get(`org.couchdb.user:${auth.userCtx.name}`)
+            .then(user => ({
+              ...auth.userCtx,
+              password_change_required: user.password_change_required || false
+            }));
         }
         throw { code: 500, message: 'Failed to authenticate' };
       });

api/src/controllers/login.js

@@ -17,6 +17,10 @@ const translations = require('../translations');
 const template = require('../services/template');
 const rateLimitService = require('../services/rate-limit');
 const serverUtils = require('../server-utils');
+const passwordTester = require('simple-password-tester');
+
+const PASSWORD_MINIMUM_LENGTH = 8;
+const PASSWORD_MINIMUM_SCORE = 50;
 
 const templates = {
   login: {
@@ -51,6 +55,30 @@ const templates = {
       'privacy.policy'
     ],
   },
+  passwordReset: {
+    file: path.join(__dirname, '..', 'templates', 'login', 'password-reset.html'),
+    translationStrings: [
+      'login.show_password',
+      'login.hide_password',
+      'change.password.title',
+      'change.password',
+      'change.password.hint',
+      'change.password.submit',
+      'change.password.new.password',
+      'change.password.confirm.password',
+      'change.password.required',
+      'password.weak',
+      'password.length.minimum',
+      'Passwords must match'
+    ],
+  }
+};
+
+const skipPasswordChange = async (userCtx) => {
+  if (roles.isDbAdmin(userCtx)) {
+    return true;
+  }
+  return await auth.hasAllPermissions(userCtx, 'can_skip_password_change');
 };
 
 const getHomeUrl = userCtx => {
@@ -201,7 +229,9 @@ const setCookies = (req, res, sessionRes) => {
       cookie.setSession(res, sessionCookie);
       setUserCtxCookie(res, userCtx);
       // Delete login=force cookie
-      res.clearCookie('login');
+      if (!userCtx.password_change_required) {
+        cookie.clearCookie(res, 'login');
+      }
 
       return Promise.resolve()
         .then(() => {
@@ -213,7 +243,10 @@ const setCookies = (req, res, sessionRes) => {
           const selectedLocale = req.body.locale
             || config.get('locale');
           cookie.setLocale(res, selectedLocale);
-          return getRedirectUrl(userCtx, req.body.redirect);
+          return {
+            userCtx,
+            redirectUrl: getRedirectUrl(userCtx, req.body.redirect),
+          };
         });
     })
     .catch(err => {
@@ -300,26 +333,70 @@ const renderLogin = (req) => {
   return render('login', req);
 };
 
+const renderPasswordReset = (req) => {
+  return render('passwordReset', req);
+};
+
+const validatePassword = (password, confirmPassword) => {
+  if (!password || !confirmPassword) {
+    return { isValid: false, error: 'required'};
+  }
+
+  if (password.length < PASSWORD_MINIMUM_LENGTH) {
+    return {
+      isValid: false,
+      error: 'short',
+      params: { minimum: PASSWORD_MINIMUM_LENGTH}
+    };
+  }
+
+  if (password !== confirmPassword) {
+    return { isValid: false, error: 'mismatch' };
+  }
+
+  if (passwordTester(password) < PASSWORD_MINIMUM_SCORE) {
+    return { isValid: false, error: 'weak' };
+  }
+
+  return { isValid: true };
+};
+
+const validateSession = async (req) => {
+  const sessionRes = await createSession(req);
+  if (sessionRes.statusCode !== 200) {
+    const error = new Error('Not logged in');
+    error.status = sessionRes.statusCode;
+    throw error;
+  }
+  return sessionRes;
+};
+
+const sendLoginErrorResponse = (e, res) => {
+  if (e.status === 401) {
+    return res.status(401).json({ error: e.error });
+  }
+  logger.error('Error logging in: %o', e);
+  return res.status(500).json({ error: 'Unexpected error logging in' });
+};
+
 const login = async (req, res) => {
   try {
-    const sessionRes = await createSession(req);
-    if (sessionRes.statusCode !== 200) {
-      res.status(sessionRes.statusCode).json({ error: 'Not logged in' });
-    } else {
-      const redirectUrl = await setCookies(req, res, sessionRes);
-      res.status(302).send(redirectUrl);
+    const sessionRes = await validateSession(req);
+    const { userCtx, redirectUrl } = await setCookies(req, res, sessionRes);
+
+    if (!(await skipPasswordChange(userCtx)) && userCtx.password_change_required){
+      return res.status(302).send('/medic/password-reset');
     }
+
+    return res.status(302).send(redirectUrl);
   } catch (e) {
-    if (e.status === 401) {
-      return res.status(401).json({ error: e.error });
-    }
-    logger.error('Error logging in: %o', e);
-    res.status(500).json({ error: 'Unexpected error logging in' });
+    return sendLoginErrorResponse(e, res);
   }
 };
 
 module.exports = {
   renderLogin,
+  renderPasswordReset,
 
   get: (req, res, next) => {
     return renderLogin(req)
@@ -328,6 +405,7 @@ module.exports = {
           'Link',
           '</login/style.css>; rel=preload; as=style, '
           + '</login/script.js>; rel=preload; as=script, '
+          + '</login/auth-utils.js>; rel=preload; as=script, '
           + '</login/lib-bowser.js>; rel=preload; as=script'
         );
         res.send(body);
@@ -355,6 +433,61 @@ module.exports = {
       });
   },
 
+  passwordResetGet: (req, res, next) => {
+    return renderPasswordReset(req)
+      .then(body => {
+        res.setHeader(
+          'Link',
+          '</login/style.css>; rel=preload; as=style, '
+              + '</login/auth-utils.js>; rel=preload; as=script, '
+              + '</login/password-reset.js>; rel=preload; as=script'
+        );
+        res.send(body);
+      })
+      .catch(next);
+  },
+  passwordResetPost: async (req, res) => {
+    const limited = await rateLimitService.isLimited(req);
+    if (limited) {
+      return serverUtils.rateLimited(req, res);
+    }
+
+    try {
+      const validation = validatePassword(req.body.password, req.body.confirmPassword);
+      if (!validation.isValid) {
+        return res.status(400).json({
+          error: `password${validation.error}`,
+          params: validation.params,
+        });
+      }
+      const userCtx = await auth.getUserCtx(req);
+      const user = await db.users.get(`org.couchdb.user:${userCtx.name}`);
+      user.password = req.body.password;
+      user.password_change_required = false;
+
+      await db.users.put(user);
+
+      cookie.clearCookie(res, 'login');
+      cookie.clearCookie(res, 'AuthSession');
+
+      req.body = {
+        ...req.body,
+        user: user.name,
+        password: req.body.password,
+        locale: req.body.locale,
+        password_updated: true,
+      };
+
+      const sessionRes = await createSessionRetry(req);
+      cookie.setPasswordUpdated(res);
+
+      const { redirectUrl } = await setCookies(req, res, sessionRes);
+      return res.status(302).send(redirectUrl);
+    } catch (err) {
+      logger.error('Error updating password: %o', err);
+      res.status(500).json({ error: 'Error updating password' });
+    }
+  },
   tokenGet: (req, res, next) => renderTokenLogin(req, res).catch(next),
   tokenPost: async (req, res, next) => {
     const limited = await rateLimitService.isLimited(req);

api/src/generate-service-worker.js

@@ -53,6 +53,10 @@ const getLoginPageContents = async () => {
   return await loginController.renderLogin();
 };
 
+const getPasswordResetPageContents = async () => {
+  return await loginController.renderPasswordReset();
+};
+
 const appendExtensionLibs = async (config) => {
   const libs = await extensionLibs.getAll();
   // cache this even if there are no libs so offline client knows there are no libs
@@ -99,6 +103,7 @@ const writeServiceWorkerFile = async () => {
     templatedURLs: {
       '/': ['webapp/index.html'], // Webapp's entry point
       '/medic/login': await getLoginPageContents(),
+      '/medic/password-reset': await getPasswordResetPageContents(),
       '/medic/_design/medic/_rewrite/': ['webapp/appcache-upgrade.html']
     },
     ignoreURLParametersMatching: [/redirect/, /username/],

api/src/public/login/auth-utils.js

@@ -0,0 +1,65 @@
+export const setState = function(className) {
+    document.getElementById('form').className = className;
+};
+
+export const request = function(method, url, payload, callback) {
+    const xmlhttp = new XMLHttpRequest();
+    xmlhttp.onreadystatechange = function() {
+        if (xmlhttp.readyState === XMLHttpRequest.DONE) {
+            callback(xmlhttp);
+        }
+    };
+    xmlhttp.open(method, url, true);
+    xmlhttp.setRequestHeader('Content-Type', 'application/json');
+    xmlhttp.setRequestHeader('Accept', 'application/json');
+    xmlhttp.send(payload);
+};
+
+const extractCookie = function(cookies, name) {
+    for (const cookie of cookies) {
+        const [cookieName, cookieValue] = cookie.trim().split('=');
+        if (cookieName === name) {
+            return cookieValue.trim();
+        }
+    }
+    return null;
+};
+
+export const getCookie = function(name) {
+    if (!document.cookie) {
+        return null;
+    }
+
+    const cookies = document.cookie.split(';');
+    return extractCookie(cookies, name);
+};
+
+export const getLocale = function(translations) {
+    const selectedLocale = getCookie('locale');
+    const defaultLocale = document.body.getAttribute('data-default-locale');
+    const locale = selectedLocale || defaultLocale;
+    if (translations[locale]) {
+        return locale;
+    }
+    const validLocales = Object.keys(translations);
+    if (validLocales.length) {
+        return validLocales[0];
+    }
+};
+
+export const parseTranslations = function() {
+    const raw = document.body.getAttribute('data-translations');
+    return JSON.parse(decodeURIComponent(raw));
+};
+
+export const baseTranslate = (selectedLocale, translations) => {
+    if (!selectedLocale) {
+        return console.error('No enabled locales found - not translating');
+    }
+    document
+        .querySelectorAll('[translate]')
+        .forEach(elem => elem.innerText = translations[selectedLocale][elem.getAttribute('translate')]);
+    document
+        .querySelectorAll('[translate-title]')
+        .forEach(elem => elem.title = translations[selectedLocale][elem.getAttribute('translate-title')]);
+};