From b929c492c0d576c8bde5f5d84b363a4a6c209333 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9rgio=20Rafael=20Siqueira?= Date: Thu, 4 Dec 2025 19:46:26 -0300 Subject: [PATCH] add reset password endpoint --- apps/id.saladeaula.digital/app/routes.ts | 7 +- .../app/events/send_forgot_email.py | 15 ++++- .../app/routes/authentication.py | 24 ++++--- id.saladeaula.digital/app/routes/register.py | 19 ++---- id.saladeaula.digital/app/routes/reset.py | 67 ++++++++++++++++++- id.saladeaula.digital/template.yaml | 2 +- .../tests/events/test_send_forgot_email.py | 3 +- .../tests/routes/test_reset.py | 24 +++++++ id.saladeaula.digital/tests/seeds.jsonl | 4 ++ 9 files changed, 129 insertions(+), 36 deletions(-) create mode 100644 id.saladeaula.digital/tests/routes/test_reset.py diff --git a/apps/id.saladeaula.digital/app/routes.ts b/apps/id.saladeaula.digital/app/routes.ts index d537c36..cedc2be 100644 --- a/apps/id.saladeaula.digital/app/routes.ts +++ b/apps/id.saladeaula.digital/app/routes.ts @@ -8,11 +8,12 @@ import { export default [ layout('routes/layout.tsx', [ index('routes/index.tsx'), + route('/reset/:code', 'routes/reset.tsx'), + route('/forgot', 'routes/forgot.tsx'), + route('/deny', 'routes/deny.tsx'), layout('routes/register/layout.tsx', [ route('/register', 'routes/register/index.tsx') - ]), - route('/forgot', 'routes/forgot.tsx'), - route('/deny', 'routes/deny.tsx') + ]) ]), route('/authorize', 'routes/authorize.ts'), route('/*', 'routes/upstream.ts') diff --git a/id.saladeaula.digital/app/events/send_forgot_email.py b/id.saladeaula.digital/app/events/send_forgot_email.py index 650bf08..18c4ee0 100644 --- a/id.saladeaula.digital/app/events/send_forgot_email.py +++ b/id.saladeaula.digital/app/events/send_forgot_email.py @@ -1,3 +1,6 @@ +import base64 +import json + from aws_lambda_powertools import Logger from aws_lambda_powertools.utilities.data_classes import ( EventBridgeEvent, @@ -17,7 +20,7 @@ Oi {first_name}, tudo bem?

Recebemos sua solicitação para redefinir sua senha na EDUSEG®.
Para continuar, é só clicar no link abaixo:

- + 👉 Clique aqui para redefinir sua senha

@@ -40,6 +43,14 @@ def lambda_handler(event: EventBridgeEvent, context: LambdaContext) -> bool: first_name = first_word(new_image['name']) # Key pattern `CODE#{code}` *_, code = new_image['sk'].split('#') + token = base64.urlsafe_b64encode( + json.dumps( + { + 'user_id': new_image['user_id'], + 'code': code, + } + ).encode() + ).decode() emailmsg = Message( from_=EMAIL_SENDER, @@ -51,7 +62,7 @@ def lambda_handler(event: EventBridgeEvent, context: LambdaContext) -> bool: emailmsg.add_alternative( MESSAGE.format( first_name=first_name, - code=code, + token=token, ) ) diff --git a/id.saladeaula.digital/app/routes/authentication.py b/id.saladeaula.digital/app/routes/authentication.py index b633d61..bd62c85 100644 --- a/id.saladeaula.digital/app/routes/authentication.py +++ b/id.saladeaula.digital/app/routes/authentication.py @@ -2,9 +2,7 @@ from http import HTTPStatus from typing import Annotated from uuid import uuid4 -from aws_lambda_powertools.event_handler import ( - Response, -) +from aws_lambda_powertools.event_handler import Response from aws_lambda_powertools.event_handler.api_gateway import Router from aws_lambda_powertools.event_handler.exceptions import ( NotFoundError, @@ -59,18 +57,22 @@ def authentication( return Response( status_code=HTTPStatus.OK, cookies=[ - Cookie( - name='SID', - value=new_session(user_id), - http_only=True, - secure=True, - same_site=None, - max_age=SESSION_EXPIRES_IN, - ) + cookie(user_id), ], ) +def cookie(user_id: str) -> Cookie: + return Cookie( + name='SID', + value=new_session(user_id), + http_only=True, + secure=True, + same_site=None, + max_age=SESSION_EXPIRES_IN, + ) + + def _get_user(username: str) -> tuple[str, str | None]: sk = SortKey(username, path_spec='user_id') user = dyn.collection.get_items( diff --git a/id.saladeaula.digital/app/routes/register.py b/id.saladeaula.digital/app/routes/register.py index 09adcac..6212d4f 100644 --- a/id.saladeaula.digital/app/routes/register.py +++ b/id.saladeaula.digital/app/routes/register.py @@ -16,9 +16,9 @@ from passlib.hash import pbkdf2_sha256 from pydantic import UUID4, EmailStr from boto3clients import dynamodb_client -from config import SESSION_EXPIRES_IN, USER_TABLE +from config import USER_TABLE -from .authentication import new_session +from .authentication import cookie router = Router() dyn = DynamoDBPersistenceLayer(USER_TABLE, dynamodb_client) @@ -74,7 +74,7 @@ def register( compress=True, body=asdict(new_user), cookies=[ - _cookie(existing['id']), + cookie(existing['id']), ], ) @@ -86,22 +86,11 @@ def register( compress=True, body=asdict(new_user), cookies=[ - _cookie(new_user.id), + cookie(new_user.id), ], ) -def _cookie(user_id: str) -> Cookie: - return Cookie( - name='SID', - value=new_session(user_id), - http_only=True, - secure=True, - same_site=None, - max_age=SESSION_EXPIRES_IN, - ) - - def _create_user(*, user: User, password: str): now_ = now() diff --git a/id.saladeaula.digital/app/routes/reset.py b/id.saladeaula.digital/app/routes/reset.py index 7d7dbec..49c5279 100644 --- a/id.saladeaula.digital/app/routes/reset.py +++ b/id.saladeaula.digital/app/routes/reset.py @@ -1,14 +1,75 @@ +import base64 +import json +from http import HTTPStatus from typing import Annotated +from aws_lambda_powertools.event_handler import Response from aws_lambda_powertools.event_handler.api_gateway import Router +from aws_lambda_powertools.event_handler.exceptions import ( + BadRequestError, + ServiceError, +) from aws_lambda_powertools.event_handler.openapi.params import Body, Path +from layercake.dateutils import now +from layercake.dynamodb import DynamoDBPersistenceLayer, KeyPair +from passlib.hash import pbkdf2_sha256 + +from boto3clients import dynamodb_client +from config import USER_TABLE + +from .authentication import UserNotFoundError, cookie router = Router() +dyn = DynamoDBPersistenceLayer(USER_TABLE, dynamodb_client) -@router.post('/reset') +class GoneError(ServiceError): + def __init__(self, msg: str | dict): + super().__init__(HTTPStatus.GONE, msg) + + +class InvalidCodeError(GoneError): ... + + +@router.post('/reset/') def reset( new_password: Annotated[str, Body(min_length=6, embed=True)], - code: Annotated[str, Path], + token: Annotated[str, Path], ): - return {} + try: + decoded_data = json.loads(base64.urlsafe_b64decode(token)) + user_id, code = decoded_data['user_id'], decoded_data['code'] + except Exception as exc: + raise BadRequestError(str(exc)) + + with dyn.transact_writer() as transact: + transact.condition( + key=KeyPair(user_id, '0'), + cond_expr='attribute_exists(sk)', + exc_cls=UserNotFoundError, + ) + transact.delete( + key=KeyPair('PASSWORD_RESET', f'CODE#{code}'), + cond_expr='attribute_exists(sk)', + exc_cls=InvalidCodeError, + ) + transact.delete( + key=KeyPair('PASSWORD_RESET', f'USER#{user_id}'), + cond_expr='attribute_exists(sk)', + exc_cls=InvalidCodeError, + ) + transact.put( + item={ + 'id': user_id, + 'sk': 'PASSWORD', + 'hash': pbkdf2_sha256.hash(new_password), + 'created_at': now(), + } + ) + + return Response( + status_code=HTTPStatus.OK, + cookies=[ + cookie(user_id), + ], + ) diff --git a/id.saladeaula.digital/template.yaml b/id.saladeaula.digital/template.yaml index 5e363ad..fec01d4 100644 --- a/id.saladeaula.digital/template.yaml +++ b/id.saladeaula.digital/template.yaml @@ -53,7 +53,7 @@ Resources: LogGroup: !Ref HttpLog Policies: - DynamoDBCrudPolicy: - TableName: !Ref OAuth2Table + TableName: !Ref UserTable - Version: 2012-10-17 Statement: - Effect: Allow diff --git a/id.saladeaula.digital/tests/events/test_send_forgot_email.py b/id.saladeaula.digital/tests/events/test_send_forgot_email.py index 4782557..2d824f9 100644 --- a/id.saladeaula.digital/tests/events/test_send_forgot_email.py +++ b/id.saladeaula.digital/tests/events/test_send_forgot_email.py @@ -10,9 +10,10 @@ def test_send_forgot_email(monkeypatch, lambda_context: LambdaContext): 'detail': { 'new_image': { 'id': 'PASSWORD_RESET', - 'sk': 'CODE#123', + 'sk': 'CODE#820b3cbc-e2e2-440e-9cec-7958725e8f52', 'name': 'Sérgio R Siqueira', 'email': 'sergio@somosbeta.com.br', + 'user_id': '6c992e55-f483-44ce-a940-5394c3e00645', } } } diff --git a/id.saladeaula.digital/tests/routes/test_reset.py b/id.saladeaula.digital/tests/routes/test_reset.py new file mode 100644 index 0000000..5850b61 --- /dev/null +++ b/id.saladeaula.digital/tests/routes/test_reset.py @@ -0,0 +1,24 @@ +from http import HTTPMethod, HTTPStatus + +from layercake.dynamodb import DynamoDBPersistenceLayer + +from ..conftest import HttpApiProxy, LambdaContext + + +def test_reset( + app, + seeds, + dynamodb_persistence_layer: DynamoDBPersistenceLayer, + http_api_proxy: HttpApiProxy, + lambda_context: LambdaContext, +): + r = app.lambda_handler( + http_api_proxy( + raw_path='/reset/eyJ1c2VyX2lkIjogIjZjOTkyZTU1LWY0ODMtNDRjZS1hOTQwLTUzOTRjM2UwMDY0NSIsICJjb2RlIjogIjgyMGIzY2JjLWUyZTItNDQwZS05Y2VjLTc5NTg3MjVlOGY1MiJ9', + method=HTTPMethod.POST, + body={'new_password': '123@56'}, + ), + lambda_context, + ) + + assert r['statusCode'] == HTTPStatus.OK diff --git a/id.saladeaula.digital/tests/seeds.jsonl b/id.saladeaula.digital/tests/seeds.jsonl index d7f32e5..5d138d1 100644 --- a/id.saladeaula.digital/tests/seeds.jsonl +++ b/id.saladeaula.digital/tests/seeds.jsonl @@ -28,3 +28,7 @@ {"id": "email", "sk": "sergio@somosbeta.com.br", "user_id": "357db1c5-7442-4075-98a3-fbe5c938a419"} {"id": "email", "sk": "osergiosiqueira@gmail.com", "user_id": "357db1c5-7442-4075-98a3-fbe5c938a419"} {"id": "cpf", "sk": "07879819908", "user_id": "357db1c5-7442-4075-98a3-fbe5c938a419"} + +{"id": "6c992e55-f483-44ce-a940-5394c3e00645", "sk": "0", "name": "Sérgio R Siqueira"} +{"id": "PASSWORD_RESET", "sk": "USER#6c992e55-f483-44ce-a940-5394c3e00645"} +{"id": "PASSWORD_RESET", "sk": "CODE#820b3cbc-e2e2-440e-9cec-7958725e8f52"}