add reset password endpoint

id.saladeaula.digital/app/events/send_forgot_email.py

@@ -1,3 +1,6 @@
+import base64
+import json
+
 from aws_lambda_powertools import Logger
 from aws_lambda_powertools.utilities.data_classes import (
     EventBridgeEvent,
@@ -17,7 +20,7 @@ Oi {first_name}, tudo bem?<br/><br/>
 Recebemos sua solicitação para redefinir sua senha na EDUSEG®.<br/>
 Para continuar, é só clicar no link abaixo:<br/><br/>
 
-<a href="https://id.saladeaula.digital/reset/{code}">
+<a href="https://id.saladeaula.digital/reset/{token}">
     👉 Clique aqui para redefinir sua senha
 </a>
 <br/><br/>
@@ -40,6 +43,14 @@ def lambda_handler(event: EventBridgeEvent, context: LambdaContext) -> bool:
     first_name = first_word(new_image['name'])
     # Key pattern `CODE#{code}`
     *_, code = new_image['sk'].split('#')
+    token = base64.urlsafe_b64encode(
+        json.dumps(
+            {
+                'user_id': new_image['user_id'],
+                'code': code,
+            }
+        ).encode()
+    ).decode()
 
     emailmsg = Message(
         from_=EMAIL_SENDER,
@@ -51,7 +62,7 @@ def lambda_handler(event: EventBridgeEvent, context: LambdaContext) -> bool:
     emailmsg.add_alternative(
         MESSAGE.format(
             first_name=first_name,
-            code=code,
+            token=token,
         )
     )
 

id.saladeaula.digital/app/routes/authentication.py

@@ -2,9 +2,7 @@ from http import HTTPStatus
 from typing import Annotated
 from uuid import uuid4
 
-from aws_lambda_powertools.event_handler import (
-    Response,
-)
+from aws_lambda_powertools.event_handler import Response
 from aws_lambda_powertools.event_handler.api_gateway import Router
 from aws_lambda_powertools.event_handler.exceptions import (
     NotFoundError,
@@ -59,18 +57,22 @@ def authentication(
     return Response(
         status_code=HTTPStatus.OK,
         cookies=[
-            Cookie(
-                name='SID',
-                value=new_session(user_id),
-                http_only=True,
-                secure=True,
-                same_site=None,
-                max_age=SESSION_EXPIRES_IN,
-            )
+            cookie(user_id),
         ],
     )
 
 
+def cookie(user_id: str) -> Cookie:
+    return Cookie(
+        name='SID',
+        value=new_session(user_id),
+        http_only=True,
+        secure=True,
+        same_site=None,
+        max_age=SESSION_EXPIRES_IN,
+    )
+
+
 def _get_user(username: str) -> tuple[str, str | None]:
     sk = SortKey(username, path_spec='user_id')
     user = dyn.collection.get_items(

id.saladeaula.digital/app/routes/register.py

@@ -16,9 +16,9 @@ from passlib.hash import pbkdf2_sha256
 from pydantic import UUID4, EmailStr
 
 from boto3clients import dynamodb_client
-from config import SESSION_EXPIRES_IN, USER_TABLE
+from config import USER_TABLE
 
-from .authentication import new_session
+from .authentication import cookie
 
 router = Router()
 dyn = DynamoDBPersistenceLayer(USER_TABLE, dynamodb_client)
@@ -74,7 +74,7 @@ def register(
             compress=True,
             body=asdict(new_user),
             cookies=[
-                _cookie(existing['id']),
+                cookie(existing['id']),
             ],
         )
 
@@ -86,22 +86,11 @@ def register(
         compress=True,
         body=asdict(new_user),
         cookies=[
-            _cookie(new_user.id),
+            cookie(new_user.id),
         ],
     )
 
 
-def _cookie(user_id: str) -> Cookie:
-    return Cookie(
-        name='SID',
-        value=new_session(user_id),
-        http_only=True,
-        secure=True,
-        same_site=None,
-        max_age=SESSION_EXPIRES_IN,
-    )
-
-
 def _create_user(*, user: User, password: str):
     now_ = now()
 

id.saladeaula.digital/app/routes/reset.py

@@ -1,14 +1,75 @@
+import base64
+import json
+from http import HTTPStatus
 from typing import Annotated
 
+from aws_lambda_powertools.event_handler import Response
 from aws_lambda_powertools.event_handler.api_gateway import Router
+from aws_lambda_powertools.event_handler.exceptions import (
+    BadRequestError,
+    ServiceError,
+)
 from aws_lambda_powertools.event_handler.openapi.params import Body, Path
+from layercake.dateutils import now
+from layercake.dynamodb import DynamoDBPersistenceLayer, KeyPair
+from passlib.hash import pbkdf2_sha256
+
+from boto3clients import dynamodb_client
+from config import USER_TABLE
+
+from .authentication import UserNotFoundError, cookie
 
 router = Router()
+dyn = DynamoDBPersistenceLayer(USER_TABLE, dynamodb_client)
 
 
-@router.post('/reset')
+class GoneError(ServiceError):
+    def __init__(self, msg: str | dict):
+        super().__init__(HTTPStatus.GONE, msg)
+
+
+class InvalidCodeError(GoneError): ...
+
+
+@router.post('/reset/<token>')
 def reset(
     new_password: Annotated[str, Body(min_length=6, embed=True)],
-    code: Annotated[str, Path],
+    token: Annotated[str, Path],
 ):
-    return {}
+    try:
+        decoded_data = json.loads(base64.urlsafe_b64decode(token))
+        user_id, code = decoded_data['user_id'], decoded_data['code']
+    except Exception as exc:
+        raise BadRequestError(str(exc))
+
+    with dyn.transact_writer() as transact:
+        transact.condition(
+            key=KeyPair(user_id, '0'),
+            cond_expr='attribute_exists(sk)',
+            exc_cls=UserNotFoundError,
+        )
+        transact.delete(
+            key=KeyPair('PASSWORD_RESET', f'CODE#{code}'),
+            cond_expr='attribute_exists(sk)',
+            exc_cls=InvalidCodeError,
+        )
+        transact.delete(
+            key=KeyPair('PASSWORD_RESET', f'USER#{user_id}'),
+            cond_expr='attribute_exists(sk)',
+            exc_cls=InvalidCodeError,
+        )
+        transact.put(
+            item={
+                'id': user_id,
+                'sk': 'PASSWORD',
+                'hash': pbkdf2_sha256.hash(new_password),
+                'created_at': now(),
+            }
+        )
+
+    return Response(
+        status_code=HTTPStatus.OK,
+        cookies=[
+            cookie(user_id),
+        ],
+    )