Now disableing users while they're in the process of resetting their password

ref #40

src/errors/AuthError.ts

@@ -118,7 +118,7 @@ export class RefreshTokenCountInvalidError extends NotAcceptableError {
 }
 
 /**
- * Error to throw when someone tryes to refresh a user's password more than once in 15 minutes.
+ * Error to throw when someone tryes to reset a user's password more than once in 15 minutes.
  */
 export class ResetAlreadyRequestedError extends NotAcceptableError {
 	@IsString()
@@ -126,4 +126,15 @@ export class ResetAlreadyRequestedError extends NotAcceptableError {
 
 	@IsString()
 	message = "You already requested a password reset in the last 15 minutes. \n Please wait until the old reset code expires before requesting a new one."
+}
+
+/**
+ * Error to throw when someone tries a disabled user's password or login as a disabled user.
+ */
+export class UserDisabledError extends NotAcceptableError {
+	@IsString()
+	name = "UserDisabledError"
+
+	@IsString()
+	message = "This user is currently disabled. \n Please contact your administrator if this is a mistake."
 }

src/models/actions/CreateResetToken.ts

@@ -1,6 +1,6 @@
 import { IsEmail, IsOptional, IsString } from 'class-validator';
 import { getConnectionManager } from 'typeorm';
-import { ResetAlreadyRequestedError, UserNotFoundError } from '../../errors/AuthError';
+import { ResetAlreadyRequestedError, UserDisabledError, UserNotFoundError } from '../../errors/AuthError';
 import { UsernameOrEmailNeededError } from '../../errors/UserErrors';
 import { JwtCreator } from '../../jwtcreator';
 import { User } from '../entities/User';
@@ -33,14 +33,13 @@ export class CreateResetToken {
             throw new UsernameOrEmailNeededError();
         }
         let found_user = await getConnectionManager().get().getRepository(User).findOne({ where: [{ username: this.username }, { email: this.email }] });
-        if (!found_user) {
-            throw new UserNotFoundError();
-        }
-
+        if (!found_user) { throw new UserNotFoundError(); }
+        if (found_user.enabled == false) { throw new UserDisabledError(); }
         if (found_user.resetRequestedTimestamp > (Math.floor(Date.now() / 1000) - 15 * 60)) { throw new ResetAlreadyRequestedError(); }
 
         found_user.refreshTokenCount = found_user.refreshTokenCount + 1;
         found_user.resetRequestedTimestamp = Math.floor(Date.now() / 1000);
+        found_user.enabled = false;
         await getConnectionManager().get().getRepository(User).save(found_user);
 
         //Create the reset

src/models/actions/ResetPassword.ts

@@ -3,7 +3,7 @@ import { IsNotEmpty, IsOptional, IsString } from 'class-validator';
 import * as jsonwebtoken from 'jsonwebtoken';
 import { getConnectionManager } from 'typeorm';
 import { config } from '../../config';
-import { IllegalJWTError, JwtNotProvidedError, PasswordNeededError, RefreshTokenCountInvalidError, UserNotFoundError } from '../../errors/AuthError';
+import { IllegalJWTError, JwtNotProvidedError, PasswordNeededError, RefreshTokenCountInvalidError, UserDisabledError, UserNotFoundError } from '../../errors/AuthError';
 import { User } from '../entities/User';
 
 /**
@@ -44,15 +44,13 @@ export class ResetPassword {
         }
 
         const found_user = await getConnectionManager().get().getRepository(User).findOne({ id: decoded["id"] });
-        if (!found_user) {
-            throw new UserNotFoundError()
-        }
-        if (found_user.refreshTokenCount !== decoded["refreshTokenCount"]) {
-            throw new RefreshTokenCountInvalidError()
-        }
+        if (!found_user) { throw new UserNotFoundError(); }
+        if (found_user.refreshTokenCount !== decoded["refreshTokenCount"]) { throw new RefreshTokenCountInvalidError(); }
+        if (found_user.enabled == false) { throw new UserDisabledError(); }
 
         found_user.refreshTokenCount = found_user.refreshTokenCount + 1;
         found_user.password = await argon2.hash(this.password + found_user.uuid);
+        found_user.enabled = true;
         await getConnectionManager().get().getRepository(User).save(found_user);
 
         return "password reset successfull";