diff --git a/lib/api/users.js b/lib/api/users.js index c9e359d1..c8e3e656 100644 --- a/lib/api/users.js +++ b/lib/api/users.js @@ -1345,6 +1345,7 @@ module.exports = (db, server, userHandler) => { * } * * @apiParam {String} id Users unique ID. + * @apiParam {String} [validAfter] Allow using the generated password not earlier than provided time * @apiParam {String} [sess] Session identifier for the logs * @apiParam {String} [ip] IP address for the logs * @@ -1382,6 +1383,9 @@ module.exports = (db, server, userHandler) => { .lowercase() .length(24) .required(), + validAfter: Joi.date() + .empty('') + .allow(false), sess: Joi.string().max(255), ip: Joi.string().ip({ version: ['ipv4', 'ipv6'], @@ -1414,7 +1418,8 @@ module.exports = (db, server, userHandler) => { } res.json({ success: true, - password + password, + validAfter: result.value || new Date() }); return next(); }); diff --git a/lib/user-handler.js b/lib/user-handler.js index 07f44e02..6f55cb59 100644 --- a/lib/user-handler.js +++ b/lib/user-handler.js @@ -357,6 +357,12 @@ class UserHandler { return next(err); } if (success) { + if (userData.validAfter > new Date()) { + let err = new Error('Temporary password is not yet activated'); + err.code = 'TempPasswordNotYetValid'; + return next(err); + } + requirePasswordChange = true; usingTemporaryPassword = true; return next(null, true); @@ -371,7 +377,7 @@ class UserHandler { // try master password checkMasterPassword((err, success) => { if (err) { - err.code = 'BcryptError'; + err.code = err.code || 'BcryptError'; return callback(err); } @@ -1167,6 +1173,7 @@ class UserHandler { { $set: { tempPassword: { + validAfter: data.validAfter || new Date(), password: bcrypt.hashSync(password, consts.BCRYPT_ROUNDS), created: new Date() }