impr(server): move password update from client to server

this allows us to make sure to invalidate user tokens on password change !nuf
2025-09-06 14:46:47 +08:00 · 2024-05-24 14:34:58 +02:00 · 2024-05-24 14:34:58 +02:00 · 8e057e3cb6
commit 8e057e3cb6
parent 313468cee3
5 changed files with 46 additions and 6 deletions
--- a/backend/src/api/controllers/user.ts
+++ b/backend/src/api/controllers/user.ts
@ -360,6 +360,18 @@ export async function updateEmail(
  return new MonkeyResponse("Email updated");
 }

+export async function updatePassword(
+  req: MonkeyTypes.Request
+): Promise<MonkeyResponse> {
+  const { uid } = req.ctx.decodedToken;
+  const { newPassword } = req.body;
+
+  await AuthUtil.updateUserPassword(uid, newPassword);
+  await AuthUtil.revokeTokensByUid(uid);
+
+  return new MonkeyResponse("Password updated");
+}
+
 function getRelevantUserInfo(
  user: MonkeyTypes.DBUser
 ): Partial<MonkeyTypes.DBUser> {
--- a/backend/src/api/routes/users.ts
+++ b/backend/src/api/routes/users.ts
@ -211,6 +211,20 @@ router.patch(
  asyncHandler(UserController.updateEmail)
 );

+router.patch(
+  "/password",
+  authenticateRequest({
+    requireFreshToken: true,
+  }),
+  RateLimit.userUpdateEmail,
+  validateRequest({
+    body: {
+      newPassword: joi.string().required(),
+    },
+  }),
+  asyncHandler(UserController.updatePassword)
+);
+
 router.delete(
  "/personalBests",
  authenticateRequest({
--- a/backend/src/utils/auth.ts
+++ b/backend/src/utils/auth.ts
@ -59,6 +59,15 @@ export async function updateUserEmail(
  });
 }

+export async function updateUserPassword(
+  uid: string,
+  password: string
+): Promise<UserRecord> {
+  return await FirebaseAdmin().auth().updateUser(uid, {
+    password,
+  });
+}
+
 export async function deleteUser(uid: string): Promise<void> {
  await FirebaseAdmin().auth().deleteUser(uid);
 }
--- a/frontend/src/ts/ape/endpoints/users.ts
+++ b/frontend/src/ts/ape/endpoints/users.ts
@ -78,6 +78,12 @@ export default class Users {
    return await this.httpClient.patch(`${BASE_PATH}/email`, { payload });
  }

+  async updatePassword(newPassword: string): Ape.EndpointResponse<null> {
+    return await this.httpClient.patch(`${BASE_PATH}/password`, {
+      payload: { newPassword },
+    });
+  }
+
  async deletePersonalBests(): Ape.EndpointResponse<null> {
    return await this.httpClient.delete(`${BASE_PATH}/personalBests`);
  }
--- a/frontend/src/ts/modals/simple-modals.ts
+++ b/frontend/src/ts/modals/simple-modals.ts
@ -811,17 +811,16 @@ list.updatePassword = new SimpleModal({
      };
    }

-    try {
-      await updatePassword(reauth.user, newPass);
-    } catch (e) {
-      const message = createErrorMessage(e, "Failed to update password");
+    const response = await Ape.users.updatePassword(newPass);
+
+    if (response.status !== 200) {
      return {
        status: -1,
-        message,
+        message: "Failed to update password: " + response.message,
      };
    }

-    reloadAfter(3);
+    AccountController.signOut();

    return {
      status: 1,