Implement password reset request and tests

Author: dmitrizagidulin

default-templates/emails/reset-password.js

@@ -39,7 +39,7 @@ If you did not mean to reset your password, ignore this email, your password wil
 
 <p>To reset your password, click on the following link:</p>
 
-<p>${data.resetUrl}</p>
+<p><a href="${data.resetUrl}">${data.resetUrl}</a></p>
 
 <p>If you did not mean to reset your password, ignore this email, your password will not change.</p>
 `

default-views/account/register.hbs

@@ -45,12 +45,20 @@
         </div>
       </div>
       <input type="hidden" name="returnToUrl" value="{{returnToUrl}}" />
-
     </div>
-    <button type="submit" class="btn btn-primary" id="register">Register</button>
 
-    <div>Already have an account?
-      <a href="/login?returnToUrl={{{returnToUrl}}}">Log In</a>
+    <div class="form-group">
+      <div class="row">
+        <div class="col-md-2">
+          <button type="submit" class="btn btn-primary" id="register">Register</button>
+        </div>
+
+        <div class="col-md-10">
+          <div>Already have an account?
+            <a href="/login?returnToUrl={{{returnToUrl}}}">Log In</a>
+          </div>
+        </div>
+      </div>
     </div>
   </form>
 </div>

default-views/auth/login.hbs

@@ -32,6 +32,27 @@
           <input type="password" class="form-control" name="password" id="password" />
         </div>
       </div>
+    </div>
+
+    <div class="form-group">
+      <div class="row">
+        <div class="col-md-2">
+          <button type="submit" class="btn btn-primary" id="login">Login</button>
+        </div>
+
+        <div class="col-md-4">
+          <div>Don't have an account?
+            <a href="/register?returnToUrl={{{postRegisterUrl}}}">Register</a>
+          </div>
+        </div>
+
+        <div class="col-md-6">
+          <div>Forgot password?
+            <a href="/account/password/reset?returnToUrl={{{postRegisterUrl}}}">Reset password</a>
+          </div>
+        </div>
+      </div>
+
       <input type="hidden" name="response_type" id="response_type" value="{{response_type}}" />
       <input type="hidden" name="display" id="display" value="{{display}}" />
       <input type="hidden" name="scope" id="scope" value="{{scope}}" />
@@ -40,11 +61,6 @@
       <input type="hidden" name="state" id="state" value="{{state}}" />
       <input type="hidden" name="nonce" id="nonce" value="{{nonce}}" />
     </div>
-    <button type="submit" class="btn btn-primary" id="login">Login</button>
-
-    <div>Don't have an account?
-      <a href="/register?returnToUrl={{{postRegisterUrl}}}">Register</a>
-    </div>
   </form>
 </div>
 </body>

default-views/auth/reset-link-sent.hbs

@@ -0,0 +1,17 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Reset Link Sent</title>
+  <link rel="stylesheet" href="/common/css/bootstrap.min.css">
+</head>
+<body>
+<div class="container">
+  <h4>Reset Link Sent</h4>
+</div>
+<div class="container">
+  A Reset Password link has been sent to your email.
+</div>
+</body>
+</html>

default-views/auth/reset-password.hbs

@@ -0,0 +1,58 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Reset Password</title>
+  <link rel="stylesheet" href="/common/css/bootstrap.min.css">
+</head>
+<body>
+<div class="container">
+  <h4>Reset Password</h4>
+</div>
+<div class="container">
+  <form method="post" action="/account/password/reset">
+    <div class="form-group">
+      {{#if error}}
+        <div class="row">
+          <div class="col-md-12">
+            <p class="text-danger"><strong>{{error}}</strong></p>
+          </div>
+        </div>
+      {{/if}}
+      <div class="row">
+        <div class="col-md-12">
+          {{#if multiUser}}
+            <p>Please enter your account name. A password reset link will be
+              emailed to the address you provided during account registration.</p>
+
+            <label for="username">Account Name:</label>
+            <input type="text" class="form-control" name="username" id="username"
+                   placeholder="alice" />
+          {{else}}
+            <p>A password reset link will be
+              emailed to the address you provided during account registration.</p>
+          {{/if}}
+        </div>
+      </div>
+    </div>
+
+    <div class="form-group">
+      <div class="row">
+        <div class="col-md-2">
+          <button type="submit" class="btn btn-primary">Send Reset Link</button>
+        </div>
+
+        <div class="col-md-4">
+          <div>Don't have an account?
+            <a href="/register?returnToUrl={{{returnToUrl}}}">Register</a>
+          </div>
+        </div>
+      </div>
+
+      <input type="hidden" name="returnToUrl" value="{{{returnToUrl}}}" />
+    </div>
+  </form>
+</div>
+</body>
+</html>

lib/api/authn/webid-oidc.js

@@ -8,6 +8,8 @@ const bodyParser = require('body-parser').urlencoded({ extended: false })
 
 const { LoginByPasswordRequest } = require('../../requests/login-request')
 
+const PasswordResetEmailRequest = require('../../requests/password-reset-email-request')
+
 const {
   AuthCallbackRequest,
   LogoutRequest,
@@ -33,6 +35,9 @@ function middleware (oidc) {
   router.get(['/login', '/signin'], LoginByPasswordRequest.get)
   router.post(['/login', '/signin'], bodyParser, LoginByPasswordRequest.post)
 
+  router.get('/account/password/reset', PasswordResetEmailRequest.get)
+  router.post('/account/password/reset', bodyParser, PasswordResetEmailRequest.post)
+
   router.get('/logout', LogoutRequest.handle)
 
   router.get('/goodbye', (req, res) => { res.render('auth/goodbye') })

lib/models/account-manager.js

@@ -391,11 +391,9 @@ class AccountManager {
    * @return {string}
    */
   passwordResetUrl (token, returnToUrl) {
-    let encodedReturnTo = encodeURIComponent(returnToUrl)
-
     let resetUrl = url.resolve(this.host.serverUri,
-      `/api/password/validateReset?token=${token}` +
-      `&returnToUrl=${encodedReturnTo}`)
+      `/account/password/change?token=${token}` +
+      `&returnToUrl=${returnToUrl}`)
 
     return resetUrl
   }
@@ -445,6 +443,8 @@ class AccountManager {
       .then(resetToken => {
         let resetUrl = this.passwordResetUrl(resetToken, returnToUrl)
 
+        debug('Reset URL:', resetUrl)
+
         let emailData = {
           to: userAccount.email,
           webId: userAccount.webId,

lib/models/email-service.js

@@ -119,7 +119,7 @@ class EmailService {
   emailFromTemplate (templateName, data) {
     let template = this.readTemplate(templateName)
 
-    return template.render(data)
+    return Object.assign({}, template.render(data), data)
   }
 
   /**

lib/requests/auth-request.js

@@ -0,0 +1,13 @@
+'use strict'
+
+class AuthRequest {
+  static parseParameter (req, parameter) {
+    let query = req.query || {}
+    let body = req.body || {}
+    let params = req.params || {}
+
+    return query[parameter] || body[parameter] || params[parameter] || null
+  }
+}
+
+module.exports = AuthRequest

lib/requests/create-account-request.js

@@ -1,5 +1,6 @@
 'use strict'
 
+const AuthRequest = require('./auth-request')
 const WebIdTlsCertificate = require('../models/webid-tls-certificate')
 const debug = require('../debug').accounts
 
@@ -16,7 +17,7 @@ const debug = require('../debug').accounts
  *
  * @class CreateAccountRequest
  */
-class CreateAccountRequest {
+class CreateAccountRequest extends AuthRequest {
   /**
    * @param [options={}] {Object}
    * @param [options.accountManager] {AccountManager}
@@ -27,6 +28,7 @@ class CreateAccountRequest {
    *   this url on successful account creation
    */
   constructor (options) {
+    super()
     this.accountManager = options.accountManager
     this.userAccount = options.userAccount
     this.session = options.session
@@ -55,7 +57,7 @@ class CreateAccountRequest {
     let locals = req.app.locals
     let accountManager = locals.accountManager
     let authMethod = locals.authMethod
-    let returnToUrl = CreateAccountRequest.parseReturnUrl(req)
+    let returnToUrl = this.parseParameter(req, 'returnToUrl')
     let userAccount = accountManager.userAccountFrom(req.body)
 
     let options = {
@@ -90,15 +92,6 @@ class CreateAccountRequest {
     response.render('account/register', params)
   }
 
-  static parseReturnUrl (req) {
-    let body = req.body || {}
-    if (body.returnToUrl) { return req.body.returnToUrl }
-
-    if (req.query && req.query.returnToUrl) { return req.query.returnToUrl }
-
-    return null
-  }
-
   static post (req, res) {
     let request
     let returnToUrl = req.body.returnToUrl