Fix signin regex validation (#1850)

Co-authored-by: Joan Reyero <joan@crowd.dev>

Author: gaspergrom

backend/src/api/tenant/index.ts

@@ -15,6 +15,7 @@ export default (app) => {
   app.get(`/tenant`, safeWrap(require('./tenantList').default))
   app.get(`/tenant/url`, safeWrap(require('./tenantFind').default))
   app.get(`/tenant/:id`, safeWrap(require('./tenantFind').default))
+  app.get(`/tenant/:id/name`, safeWrap(require('./tenantFindName').default))
   app.get(`/tenant/:tenantId/membersToMerge`, safeWrap(require('./tenantMembersToMerge').default))
   app.get(
     `/tenant/:tenantId/organizationsToMerge`,

backend/src/api/tenant/tenantFind.ts

@@ -1,10 +1,13 @@
 import identifyTenant from '../../segment/identifyTenant'
 import TenantService from '../../services/tenantService'
 import Error404 from '../../errors/Error404'
+import PermissionChecker from '../../services/user/permissionChecker'
+import Permissions from '../../security/permissions'
 
 export default async (req, res) => {
+  req.currentTenant = { id: req.params.id }
+  new PermissionChecker(req).validateHas(Permissions.values.memberRead)
   let payload
-
   if (req.params.id) {
     payload = await new TenantService(req).findById(req.params.id)
   } else {

backend/src/api/tenant/tenantFindName.ts

@@ -0,0 +1,23 @@
+import identifyTenant from '../../segment/identifyTenant'
+import TenantService from '../../services/tenantService'
+import Error404 from '../../errors/Error404'
+
+export default async (req, res) => {
+  // This endpoint is unauthenticated on purpose, but public reprots.
+  const payload = await new TenantService(req).findById(req.params.id)
+
+  if (payload) {
+    if (req.currentUser) {
+      identifyTenant({ ...req, currentTenant: payload })
+    }
+
+    const payloadOut = {
+      name: payload.name,
+      id: payload.id,
+    }
+
+    await req.responseHandler.success(req, res, payloadOut)
+  } else {
+    throw new Error404()
+  }
+}

backend/src/database/repositories/userRepository.ts

@@ -547,12 +547,22 @@ export default class UserRepository {
         status: 'active',
       },
     })
+
     record = {
       ...record,
       ...record.json,
     }
     delete record.json
 
+    // Remove sensitive fields
+    delete record.password
+    delete record.emailVerificationToken
+    delete record.emailVerificationTokenExpiresAt
+    delete record.providerId
+    delete record.passwordResetToken
+    delete record.passwordResetTokenExpiresAt
+    delete record.jwtTokenInvalidBefore
+
     if (!record) {
       throw new Error404()
     }

backend/src/i18n/en.ts

@@ -45,6 +45,8 @@ const en = {
       invalidToken: 'Invalid or expired password reset link',
       error: `Invalid email`,
     },
+    passwordInvalid:
+      'Passwords must have at least one letter, one number, one symbol, and be at least 8 characters long.',
     emailAddressVerificationEmail: {
       invalidToken: 'Invalid or expired email verification link.',
       error: `Email not recognized.`,

backend/src/security/permissions.ts

@@ -99,7 +99,7 @@ class Permissions {
       },
       userRead: {
         id: 'userRead',
-        allowedRoles: [roles.admin, roles.readonly],
+        allowedRoles: [roles.admin],
         allowedPlans: [
           plans.essential,
           plans.growth,
@@ -110,7 +110,7 @@ class Permissions {
       },
       userAutocomplete: {
         id: 'userAutocomplete',
-        allowedRoles: [roles.admin, roles.readonly],
+        allowedRoles: [roles.admin],
         allowedPlans: [
           plans.essential,
           plans.growth,

backend/src/services/auth/authService.ts

@@ -38,6 +38,12 @@ class AuthService {
 
       const existingUser = await UserRepository.findByEmail(email, options)
 
+      const passwordRegex = /^(?=.*[A-Za-z])(?=.*\d)(?=.*[@$!%*#?&])[A-Za-z\d@$!%*#?&]{8,}$/
+
+      if (!passwordRegex.test(password)) {
+        throw new Error400(options.language, 'auth.passwordInvalid')
+      }
+
       // Generates a hashed password to hide the original one.
       const hashedPassword = await bcrypt.hash(password, BCRYPT_SALT_ROUNDS)
 

frontend/src/i18n/en.js

@@ -813,7 +813,7 @@ const en = {
   /* eslint-disable */
   validation: {
     mixed: {
-      default: 'path} is invalid',
+      default: '{path} is invalid',
       required: 'This field is required',
       oneOf:
         '{path} must be one of the following values: ${values}',

frontend/src/modules/auth/pages/signin-page.vue

@@ -72,6 +72,11 @@
                 class="h-4 flex items-center ri-error-warning-line text-base text-red-500"
               />
               <span
+                v-if="error === 'Password is invalid'"
+                class="pl-1 text-2xs text-red-500 leading-4.5"
+              >Passwords must have at least one letter, one number, one symbol, and be at least 8 characters long.</span>
+              <span
+                v-else
                 class="pl-1 text-2xs text-red-500 leading-4.5"
               >{{ error }}</span>
             </div>
@@ -166,7 +171,7 @@ export default {
     return {
       rules: {
         email: fields.email.forFormRules(),
-        password: fields.password.forFormRules(),
+        password: fields.passwordSignin.forFormRules(),
         rememberMe: fields.rememberMe.forFormRules(),
       },
       model: {

frontend/src/modules/auth/pages/signup-page.vue

@@ -129,6 +129,11 @@
                 class="h-4 flex items-center ri-error-warning-line text-base text-red-500"
               />
               <span
+                v-if="error === 'Password is invalid'"
+                class="pl-1 text-2xs text-red-500 leading-4.5"
+              >Passwords must have at least one letter, one number, one symbol, and be at least 8 characters long.</span>
+              <span
+                v-else
                 class="pl-1 text-2xs text-red-500 leading-4.5"
               >{{ error }}</span>
             </div>