diff --git a/packages/cli/src/Server.ts b/packages/cli/src/Server.ts index 33a81e76d8..ff74e651fb 100644 --- a/packages/cli/src/Server.ts +++ b/packages/cli/src/Server.ts @@ -272,15 +272,7 @@ export class Server extends AbstractServer { ), Container.get(MeController), new NodeTypesController(config, nodeTypes), - new PasswordResetController( - logger, - externalHooks, - internalHooks, - mailer, - userService, - jwtService, - mfaService, - ), + Container.get(PasswordResetController), Container.get(TagsController), new TranslationController(config, this.credentialTypes), new UsersController( diff --git a/packages/cli/src/auth/jwt.ts b/packages/cli/src/auth/jwt.ts index 53f3b7f276..7a1113170f 100644 --- a/packages/cli/src/auth/jwt.ts +++ b/packages/cli/src/auth/jwt.ts @@ -44,6 +44,11 @@ export function issueJWT(user: User): JwtToken { }; } +export const createPasswordSha = (user: User) => + createHash('sha256') + .update(user.password.slice(user.password.length / 2)) + .digest('hex'); + export async function resolveJwtContent(jwtPayload: JwtPayload): Promise { const user = await Db.collections.User.findOne({ where: { id: jwtPayload.id }, @@ -52,9 +57,7 @@ export async function resolveJwtContent(jwtPayload: JwtPayload): Promise { let passwordHash = null; if (user?.password) { - passwordHash = createHash('sha256') - .update(user.password.slice(user.password.length / 2)) - .digest('hex'); + passwordHash = createPasswordSha(user); } // currently only LDAP users during synchronization diff --git a/packages/cli/src/controllers/passwordReset.controller.ts b/packages/cli/src/controllers/passwordReset.controller.ts index acca0ed4c2..6396e2d689 100644 --- a/packages/cli/src/controllers/passwordReset.controller.ts +++ b/packages/cli/src/controllers/passwordReset.controller.ts @@ -1,5 +1,9 @@ +import { Response } from 'express'; +import { rateLimit } from 'express-rate-limit'; +import { Service } from 'typedi'; import { IsNull, Not } from 'typeorm'; import validator from 'validator'; + import { Get, Post, RestController } from '@/decorators'; import { BadRequestError, @@ -14,23 +18,17 @@ import { validatePassword, } from '@/UserManagement/UserManagementHelper'; import { UserManagementMailer } from '@/UserManagement/email'; - -import { Response } from 'express'; import { PasswordResetRequest } from '@/requests'; -import { IExternalHooksClass, IInternalHooksClass } from '@/Interfaces'; import { issueCookie } from '@/auth/jwt'; import { isLdapEnabled } from '@/Ldap/helpers'; import { isSamlCurrentAuthenticationMethod } from '@/sso/ssoHelpers'; import { UserService } from '@/services/user.service'; import { License } from '@/License'; -import { Container } from 'typedi'; import { RESPONSE_ERROR_MESSAGES, inTest } from '@/constants'; -import { TokenExpiredError } from 'jsonwebtoken'; -import type { JwtPayload } from '@/services/jwt.service'; -import { JwtService } from '@/services/jwt.service'; import { MfaService } from '@/Mfa/mfa.service'; import { Logger } from '@/Logger'; -import { rateLimit } from 'express-rate-limit'; +import { ExternalHooks } from '@/ExternalHooks'; +import { InternalHooks } from '@/InternalHooks'; const throttle = rateLimit({ windowMs: 5 * 60 * 1000, // 5 minutes @@ -38,16 +36,17 @@ const throttle = rateLimit({ message: { message: 'Too many requests' }, }); +@Service() @RestController() export class PasswordResetController { constructor( private readonly logger: Logger, - private readonly externalHooks: IExternalHooksClass, - private readonly internalHooks: IInternalHooksClass, + private readonly externalHooks: ExternalHooks, + private readonly internalHooks: InternalHooks, private readonly mailer: UserManagementMailer, private readonly userService: UserService, - private readonly jwtService: JwtService, private readonly mfaService: MfaService, + private readonly license: License, ) {} /** @@ -92,7 +91,7 @@ export class PasswordResetController { relations: ['authIdentities', 'globalRole'], }); - if (!user?.isOwner && !Container.get(License).isWithinUsersLimit()) { + if (!user?.isOwner && !this.license.isWithinUsersLimit()) { this.logger.debug( 'Request to send password reset email failed because the user limit was reached', ); @@ -123,29 +122,16 @@ export class PasswordResetController { throw new UnprocessableRequestError('forgotPassword.ldapUserPasswordResetUnavailable'); } - const baseUrl = getInstanceBaseUrl(); + const url = this.userService.generatePasswordResetUrl(user); + const { id, firstName, lastName } = user; - - const resetPasswordToken = this.jwtService.signData( - { sub: id }, - { - expiresIn: '20m', - }, - ); - - const url = this.userService.generatePasswordResetUrl( - baseUrl, - resetPasswordToken, - user.mfaEnabled, - ); - try { await this.mailer.passwordReset({ email, firstName, lastName, passwordResetUrl: url, - domain: baseUrl, + domain: getInstanceBaseUrl(), }); } catch (error) { void this.internalHooks.onEmailFailed({ @@ -173,9 +159,9 @@ export class PasswordResetController { */ @Get('/resolve-password-token') async resolvePasswordToken(req: PasswordResetRequest.Credentials) { - const { token: resetPasswordToken } = req.query; + const { token } = req.query; - if (!resetPasswordToken) { + if (!token) { this.logger.debug( 'Request to resolve password token failed because of missing password reset token', { @@ -185,32 +171,17 @@ export class PasswordResetController { throw new BadRequestError(''); } - const decodedToken = this.verifyResetPasswordToken(resetPasswordToken); + const user = await this.userService.resolvePasswordResetToken(token); + if (!user) throw new NotFoundError(''); - const user = await this.userService.findOne({ - where: { id: decodedToken.sub }, - relations: ['globalRole'], - }); - - if (!user?.isOwner && !Container.get(License).isWithinUsersLimit()) { + if (!user?.isOwner && !this.license.isWithinUsersLimit()) { this.logger.debug( 'Request to resolve password token failed because the user limit was reached', - { userId: decodedToken.sub }, + { userId: user.id }, ); throw new UnauthorizedError(RESPONSE_ERROR_MESSAGES.USERS_QUOTA_REACHED); } - if (!user) { - this.logger.debug( - 'Request to resolve password token failed because no user was found for the provided user ID', - { - userId: decodedToken.sub, - resetPasswordToken, - }, - ); - throw new NotFoundError(''); - } - this.logger.info('Reset-password token resolved successfully', { userId: user.id }); void this.internalHooks.onUserPasswordResetEmailClick({ user }); } @@ -220,9 +191,9 @@ export class PasswordResetController { */ @Post('/change-password') async changePassword(req: PasswordResetRequest.NewPassword, res: Response) { - const { token: resetPasswordToken, password, mfaToken } = req.body; + const { token, password, mfaToken } = req.body; - if (!resetPasswordToken || !password) { + if (!token || !password) { this.logger.debug( 'Request to change password failed because of missing user ID or password or reset password token in payload', { @@ -234,22 +205,8 @@ export class PasswordResetController { const validPassword = validatePassword(password); - const decodedToken = this.verifyResetPasswordToken(resetPasswordToken); - - const user = await this.userService.findOne({ - where: { id: decodedToken.sub }, - relations: ['authIdentities', 'globalRole'], - }); - - if (!user) { - this.logger.debug( - 'Request to resolve password token failed because no user was found for the provided user ID', - { - resetPasswordToken, - }, - ); - throw new NotFoundError(''); - } + const user = await this.userService.resolvePasswordResetToken(token); + if (!user) throw new NotFoundError(''); if (user.mfaEnabled) { if (!mfaToken) throw new BadRequestError('If MFA enabled, mfaToken is required.'); @@ -285,23 +242,4 @@ export class PasswordResetController { await this.externalHooks.run('user.password.update', [user.email, passwordHash]); } - - private verifyResetPasswordToken(resetPasswordToken: string) { - let decodedToken: JwtPayload; - try { - decodedToken = this.jwtService.verifyToken(resetPasswordToken); - return decodedToken; - } catch (e) { - if (e instanceof TokenExpiredError) { - this.logger.debug('Reset password token expired', { - resetPasswordToken, - }); - throw new NotFoundError(''); - } - this.logger.debug('Error verifying token', { - resetPasswordToken, - }); - throw new BadRequestError(''); - } - } } diff --git a/packages/cli/src/controllers/users.controller.ts b/packages/cli/src/controllers/users.controller.ts index 8965ed1286..5382f4de6d 100644 --- a/packages/cli/src/controllers/users.controller.ts +++ b/packages/cli/src/controllers/users.controller.ts @@ -411,23 +411,8 @@ export class UsersController { throw new NotFoundError('User not found'); } - const resetPasswordToken = this.jwtService.signData( - { sub: user.id }, - { - expiresIn: '1d', - }, - ); - - const baseUrl = getInstanceBaseUrl(); - - const link = this.userService.generatePasswordResetUrl( - baseUrl, - resetPasswordToken, - user.mfaEnabled, - ); - return { - link, - }; + const link = this.userService.generatePasswordResetUrl(user); + return { link }; } @Authorized(['global', 'owner']) diff --git a/packages/cli/src/services/jwt.service.ts b/packages/cli/src/services/jwt.service.ts index 094b595d8d..d9fe0d916a 100644 --- a/packages/cli/src/services/jwt.service.ts +++ b/packages/cli/src/services/jwt.service.ts @@ -10,8 +10,8 @@ export class JwtService { return jwt.sign(payload, this.userManagementSecret, options); } - public verifyToken(token: string, options: jwt.VerifyOptions = {}) { - return jwt.verify(token, this.userManagementSecret, options) as jwt.JwtPayload; + public verifyToken(token: string, options: jwt.VerifyOptions = {}) { + return jwt.verify(token, this.userManagementSecret, options) as T; } } diff --git a/packages/cli/src/services/user.service.ts b/packages/cli/src/services/user.service.ts index 6d6c9c15f5..0badb9cd9e 100644 --- a/packages/cli/src/services/user.service.ts +++ b/packages/cli/src/services/user.service.ts @@ -7,10 +7,18 @@ import { UserRepository } from '@/databases/repositories'; import { getInstanceBaseUrl } from '@/UserManagement/UserManagementHelper'; import type { PublicUser } from '@/Interfaces'; import type { PostHogClient } from '@/posthog'; +import { type JwtPayload, JwtService } from './jwt.service'; +import { TokenExpiredError } from 'jsonwebtoken'; +import { Logger } from '@/Logger'; +import { createPasswordSha } from '@/auth/jwt'; @Service() export class UserService { - constructor(private readonly userRepository: UserRepository) {} + constructor( + private readonly logger: Logger, + private readonly userRepository: UserRepository, + private readonly jwtService: JwtService, + ) {} async findOne(options: FindOneOptions) { return this.userRepository.findOne({ relations: ['globalRole'], ...options }); @@ -54,15 +62,57 @@ export class UserService { return this.userRepository.update(userId, { settings: { ...settings, ...newSettings } }); } - generatePasswordResetUrl(instanceBaseUrl: string, token: string, mfaEnabled: boolean) { + generatePasswordResetToken(user: User, expiresIn = '20m') { + return this.jwtService.signData( + { sub: user.id, passwordSha: createPasswordSha(user) }, + { expiresIn }, + ); + } + + generatePasswordResetUrl(user: User) { + const instanceBaseUrl = getInstanceBaseUrl(); const url = new URL(`${instanceBaseUrl}/change-password`); - url.searchParams.append('token', token); - url.searchParams.append('mfaEnabled', mfaEnabled.toString()); + url.searchParams.append('token', this.generatePasswordResetToken(user)); + url.searchParams.append('mfaEnabled', user.mfaEnabled.toString()); return url.toString(); } + async resolvePasswordResetToken(token: string): Promise { + let decodedToken: JwtPayload & { passwordSha: string }; + try { + decodedToken = this.jwtService.verifyToken(token); + } catch (e) { + if (e instanceof TokenExpiredError) { + this.logger.debug('Reset password token expired', { token }); + } else { + this.logger.debug('Error verifying token', { token }); + } + return; + } + + const user = await this.userRepository.findOne({ + where: { id: decodedToken.sub }, + relations: ['authIdentities', 'globalRole'], + }); + + if (!user) { + this.logger.debug( + 'Request to resolve password token failed because no user was found for the provided user ID', + { userId: decodedToken.sub, token }, + ); + return; + } + + if (createPasswordSha(user) !== decodedToken.passwordSha) { + this.logger.debug('Password updated since this token was generated'); + return; + } + + return user; + } + async toPublic(user: User, options?: { withInviteUrl?: boolean; posthog?: PostHogClient }) { const { password, updatedAt, apiKey, authIdentities, ...rest } = user; diff --git a/packages/cli/test/integration/mfa/mfa.api.test.ts b/packages/cli/test/integration/mfa/mfa.api.test.ts index 3914a42843..da959f4013 100644 --- a/packages/cli/test/integration/mfa/mfa.api.test.ts +++ b/packages/cli/test/integration/mfa/mfa.api.test.ts @@ -1,14 +1,14 @@ +import Container from 'typedi'; import config from '@/config'; import * as Db from '@/Db'; import type { Role } from '@db/entities/Role'; import type { User } from '@db/entities/User'; -import * as testDb from './../shared/testDb'; -import * as utils from '../shared/utils'; import { randomPassword } from '@/Ldap/helpers'; -import { randomDigit, randomString, randomValidPassword, uniqueId } from '../shared/random'; import { TOTPService } from '@/Mfa/totp.service'; -import Container from 'typedi'; -import { JwtService } from '@/services/jwt.service'; +import { UserService } from '@/services/user.service'; +import { randomDigit, randomString, randomValidPassword, uniqueId } from '../shared/random'; +import * as testDb from '../shared/testDb'; +import * as utils from '../shared/utils'; jest.mock('@/telemetry'); @@ -206,7 +206,7 @@ describe('Change password with MFA enabled', () => { }); test('POST /change-password should fail due to missing MFA token', async () => { - const { user } = await testDb.createUserWithMfaEnabled(); + await testDb.createUserWithMfaEnabled(); const newPassword = randomValidPassword(); @@ -216,11 +216,11 @@ describe('Change password with MFA enabled', () => { .post('/change-password') .send({ password: newPassword, token: resetPasswordToken }); - expect(response.statusCode).toBe(400); + expect(response.statusCode).toBe(404); }); test('POST /change-password should fail due to invalid MFA token', async () => { - const { user } = await testDb.createUserWithMfaEnabled(); + await testDb.createUserWithMfaEnabled(); const newPassword = randomValidPassword(); @@ -232,7 +232,7 @@ describe('Change password with MFA enabled', () => { mfaToken: randomDigit(), }); - expect(response.statusCode).toBe(400); + expect(response.statusCode).toBe(404); }); test('POST /change-password should update password', async () => { @@ -242,9 +242,7 @@ describe('Change password with MFA enabled', () => { config.set('userManagement.jwtSecret', randomString(5, 10)); - const jwtService = Container.get(JwtService); - - const resetPasswordToken = jwtService.signData({ sub: user.id }); + const resetPasswordToken = Container.get(UserService).generatePasswordResetToken(user); const mfaToken = new TOTPService().generateTOTP(rawSecret); diff --git a/packages/cli/test/integration/passwordReset.api.test.ts b/packages/cli/test/integration/passwordReset.api.test.ts index 5c9a01017f..8bcbd38aba 100644 --- a/packages/cli/test/integration/passwordReset.api.test.ts +++ b/packages/cli/test/integration/passwordReset.api.test.ts @@ -1,8 +1,9 @@ import { v4 as uuid } from 'uuid'; import { compare } from 'bcryptjs'; import { Container } from 'typedi'; -import { License } from '@/License'; +import { mock } from 'jest-mock-extended'; +import { License } from '@/License'; import * as Db from '@/Db'; import config from '@/config'; import type { Role } from '@db/entities/Role'; @@ -10,6 +11,7 @@ import type { User } from '@db/entities/User'; import { setCurrentAuthenticationMethod } from '@/sso/ssoHelpers'; import { ExternalHooks } from '@/ExternalHooks'; import { JwtService } from '@/services/jwt.service'; +import { UserService } from '@/services/user.service'; import { UserManagementMailer } from '@/UserManagement/email'; import * as utils from './shared/utils/'; @@ -33,6 +35,7 @@ const externalHooks = utils.mockInstance(ExternalHooks); const mailer = utils.mockInstance(UserManagementMailer, { isEmailSetUp: true }); const testServer = utils.setupTestServer({ endpointGroups: ['passwordReset'] }); const jwtService = Container.get(JwtService); +let userService: UserService; beforeAll(async () => { globalOwnerRole = await testDb.getGlobalOwnerRole(); @@ -45,6 +48,7 @@ beforeEach(async () => { member = await testDb.createUser({ globalRole: globalMemberRole }); externalHooks.run.mockReset(); jest.replaceProperty(mailer, 'isEmailSetUp', true); + userService = Container.get(UserService); }); describe('POST /forgot-password', () => { @@ -127,7 +131,7 @@ describe('POST /forgot-password', () => { describe('GET /resolve-password-token', () => { test('should succeed with valid inputs', async () => { - const resetPasswordToken = jwtService.signData({ sub: owner.id }); + const resetPasswordToken = userService.generatePasswordResetToken(owner); const response = await testServer.authlessAgent .get('/resolve-password-token') @@ -137,17 +141,15 @@ describe('GET /resolve-password-token', () => { }); test('should fail with invalid inputs', async () => { - const first = await testServer.authlessAgent + await testServer.authlessAgent .get('/resolve-password-token') - .query({ token: uuid() }); + .query({ token: uuid() }) + .expect(404); - const second = await testServer.authlessAgent + await testServer.authlessAgent .get('/resolve-password-token') - .query({ userId: owner.id }); - - for (const response of [first, second]) { - expect(response.statusCode).toBe(400); - } + .query({ userId: owner.id }) + .expect(400); }); test('should fail if user is not found', async () => { @@ -161,7 +163,18 @@ describe('GET /resolve-password-token', () => { }); test('should fail if token is expired', async () => { - const resetPasswordToken = jwtService.signData({ sub: owner.id }, { expiresIn: '-1h' }); + const resetPasswordToken = userService.generatePasswordResetToken(owner, '-1h'); + + const response = await testServer.authlessAgent + .get('/resolve-password-token') + .query({ userId: owner.id, token: resetPasswordToken }); + + expect(response.statusCode).toBe(404); + }); + + test('should fail after password has changed', async () => { + const updatedUser = mock({ ...owner, password: 'another-password' }); + const resetPasswordToken = userService.generatePasswordResetToken(updatedUser); const response = await testServer.authlessAgent .get('/resolve-password-token') @@ -175,7 +188,7 @@ describe('POST /change-password', () => { const passwordToStore = randomValidPassword(); test('should succeed with valid inputs', async () => { - const resetPasswordToken = jwtService.signData({ sub: owner.id }); + const resetPasswordToken = userService.generatePasswordResetToken(owner); const response = await testServer.authlessAgent.post('/change-password').send({ token: resetPasswordToken, userId: owner.id, @@ -202,7 +215,7 @@ describe('POST /change-password', () => { }); test('should fail with invalid inputs', async () => { - const resetPasswordToken = jwtService.signData({ sub: owner.id }); + const resetPasswordToken = userService.generatePasswordResetToken(owner); const invalidPayloads = [ { token: uuid() }, @@ -236,7 +249,7 @@ describe('POST /change-password', () => { }); test('should fail when token has expired', async () => { - const resetPasswordToken = jwtService.signData({ sub: owner.id }, { expiresIn: '-1h' }); + const resetPasswordToken = userService.generatePasswordResetToken(owner, '-1h'); const response = await testServer.authlessAgent.post('/change-password').send({ token: resetPasswordToken, @@ -252,7 +265,7 @@ describe('POST /change-password', () => { test('owner should be able to reset its password when quota:users = 1', async () => { jest.spyOn(Container.get(License), 'getUsersLimit').mockReturnValueOnce(1); - const resetPasswordToken = jwtService.signData({ sub: owner.id }); + const resetPasswordToken = userService.generatePasswordResetToken(owner); const response = await testServer.authlessAgent.post('/change-password').send({ token: resetPasswordToken, userId: owner.id, @@ -281,7 +294,7 @@ describe('POST /change-password', () => { test('member should not be able to reset its password when quota:users = 1', async () => { jest.spyOn(Container.get(License), 'getUsersLimit').mockReturnValueOnce(1); - const resetPasswordToken = jwtService.signData({ sub: member.id }); + const resetPasswordToken = userService.generatePasswordResetToken(member); const response = await testServer.authlessAgent.post('/change-password').send({ token: resetPasswordToken, userId: member.id, diff --git a/packages/cli/test/integration/shared/utils/testServer.ts b/packages/cli/test/integration/shared/utils/testServer.ts index d22f496d53..3d202fe4e5 100644 --- a/packages/cli/test/integration/shared/utils/testServer.ts +++ b/packages/cli/test/integration/shared/utils/testServer.ts @@ -236,19 +236,7 @@ export const setupTestServer = ({ registerController(app, config, Container.get(MeController)); break; case 'passwordReset': - registerController( - app, - config, - new PasswordResetController( - logger, - externalHooks, - internalHooks, - mailer, - userService, - Container.get(JwtService), - mfaService, - ), - ); + registerController(app, config, Container.get(PasswordResetController)); break; case 'owner': registerController( diff --git a/packages/cli/test/unit/services/user.service.test.ts b/packages/cli/test/unit/services/user.service.test.ts new file mode 100644 index 0000000000..0eeaf8b617 --- /dev/null +++ b/packages/cli/test/unit/services/user.service.test.ts @@ -0,0 +1,73 @@ +import Container from 'typedi'; +import jwt from 'jsonwebtoken'; +import { Logger } from '@/Logger'; +import config from '@/config'; +import { User } from '@db/entities/User'; +import { UserRepository } from '@db/repositories'; +import { UserService } from '@/services/user.service'; +import { mockInstance } from '../../integration/shared/utils'; + +describe('UserService', () => { + config.set('userManagement.jwtSecret', 'random-secret'); + + mockInstance(Logger); + const repository = mockInstance(UserRepository); + const service = Container.get(UserService); + const testUser = Object.assign(new User(), { + id: '1234', + password: 'passwordHash', + mfaEnabled: false, + }); + + beforeEach(() => { + jest.resetAllMocks(); + }); + + describe('generatePasswordResetToken', () => { + it('should generate valid password-reset tokens', () => { + const token = service.generatePasswordResetToken(testUser); + const decoded = jwt.decode(token) as jwt.JwtPayload; + expect(decoded.sub).toEqual(testUser.id); + expect(decoded.exp! - decoded.iat!).toEqual(1200); // Expires in 20 minutes + expect(decoded.passwordSha).toEqual( + '31513c5a9e3c5afe5c06d5675ace74e8bc3fadd9744ab5d89c311f2a62ccbd39', + ); + }); + }); + + describe('resolvePasswordResetToken', () => { + it('should not return a user if the token in invalid', async () => { + const user = await service.resolvePasswordResetToken('invalid-token'); + expect(user).toBeUndefined(); + }); + + it('should not return a user if the token in expired', async () => { + const token = service.generatePasswordResetToken(testUser, '-1h'); + const user = await service.resolvePasswordResetToken(token); + expect(user).toBeUndefined(); + }); + + it('should not return a user if the user does not exist in the DB', async () => { + repository.findOne.mockResolvedValueOnce(null); + const token = service.generatePasswordResetToken(testUser); + const user = await service.resolvePasswordResetToken(token); + expect(user).toBeUndefined(); + }); + + it('should not return a user if the password sha does not match', async () => { + const token = service.generatePasswordResetToken(testUser); + const updatedUser = Object.create(testUser); + updatedUser.password = 'something-else'; + repository.findOne.mockResolvedValueOnce(updatedUser); + const user = await service.resolvePasswordResetToken(token); + expect(user).toBeUndefined(); + }); + + it('should not return the user if all checks pass', async () => { + const token = service.generatePasswordResetToken(testUser); + repository.findOne.mockResolvedValueOnce(testUser); + const user = await service.resolvePasswordResetToken(token); + expect(user).toEqual(testUser); + }); + }); +}); diff --git a/packages/editor-ui/src/plugins/i18n/locales/en.json b/packages/editor-ui/src/plugins/i18n/locales/en.json index 7b9c66e3b7..8c5ecba3d1 100644 --- a/packages/editor-ui/src/plugins/i18n/locales/en.json +++ b/packages/editor-ui/src/plugins/i18n/locales/en.json @@ -93,7 +93,7 @@ "auth.changePassword.passwordUpdatedMessage": "You can now sign in with your new password", "auth.changePassword.passwordsMustMatchError": "Passwords must match", "auth.changePassword.reenterNewPassword": "Re-enter new password", - "auth.changePassword.tokenValidationError": "Issue validating invite token", + "auth.changePassword.tokenValidationError": "Invalid password-reset token", "auth.defaultPasswordRequirements": "8+ characters, at least 1 number and 1 capital letter", "auth.validation.missingParameters": "Missing token or user id", "auth.email": "Email", diff --git a/packages/editor-ui/src/views/ChangePasswordView.vue b/packages/editor-ui/src/views/ChangePasswordView.vue index 8b22ba2f39..eafe3816b6 100644 --- a/packages/editor-ui/src/views/ChangePasswordView.vue +++ b/packages/editor-ui/src/views/ChangePasswordView.vue @@ -103,10 +103,8 @@ export default defineComponent({ await this.usersStore.validatePasswordToken({ token }); } catch (e) { - this.showMessage({ - title: this.$locale.baseText('auth.changePassword.tokenValidationError'), - type: 'error', - }); + this.showError(e, this.$locale.baseText('auth.changePassword.tokenValidationError')); + void this.$router.replace({ name: VIEWS.SIGNIN }); } }, methods: { diff --git a/packages/editor-ui/src/views/SignupView.vue b/packages/editor-ui/src/views/SignupView.vue index 75a4f567aa..0434ed1c81 100644 --- a/packages/editor-ui/src/views/SignupView.vue +++ b/packages/editor-ui/src/views/SignupView.vue @@ -121,7 +121,7 @@ export default defineComponent({ async onSubmit(values: { [key: string]: string | boolean }) { if (!this.inviterId || !this.inviteeId) { this.showError( - new Error(this.$locale.baseText('auth.changePassword.tokenValidationError')), + new Error(this.$locale.baseText('auth.signup.tokenValidationError')), this.$locale.baseText('auth.signup.setupYourAccountError'), ); return;