shellphone.app/app/features/auth/actions/forgot-password.ts

import { type ActionFunction, json } from "@remix-run/node";
import { type User, TokenType } from "@prisma/client";

import db from "~/utils/db.server";
import { type FormError, validate } from "~/utils/validation.server";
import { sendForgotPasswordEmail } from "~/mailers/forgot-password-mailer.server";
import { generateToken, hashToken } from "~/utils/token.server";
import { ForgotPassword } from "../validations";

const RESET_PASSWORD_TOKEN_EXPIRATION_IN_HOURS = 24;

type ForgotPasswordFailureActionData = { errors: FormError<typeof ForgotPassword>; submitted?: never };
type ForgotPasswordSuccessfulActionData = { errors?: never; submitted: true };
export type ForgotPasswordActionData = ForgotPasswordFailureActionData | ForgotPasswordSuccessfulActionData;

const action: ActionFunction = async ({ request }) => {
	const formData = Object.fromEntries(await request.formData());
	const validation = validate(ForgotPassword, formData);
	if (validation.errors) {
		return json<ForgotPasswordFailureActionData>({ errors: validation.errors });
	}

	const { email } = validation.data;
	const user = await db.user.findUnique({ where: { email: email.toLowerCase() } });

	// always wait the same amount of time so attackers can't tell the difference whether a user is found
	await Promise.all([updatePassword(user), new Promise((resolve) => setTimeout(resolve, 750))]);

	// return the same result whether a password reset email was sent or not
	return json<ForgotPasswordSuccessfulActionData>({ submitted: true });
};

export default action;

async function updatePassword(user: User | null) {
	const membership = await db.membership.findFirst({ where: { userId: user?.id } });
	if (!user || !membership) {
		return;
	}

	const token = generateToken();
	const hashedToken = hashToken(token);
	const expiresAt = new Date();
	expiresAt.setHours(expiresAt.getHours() + RESET_PASSWORD_TOKEN_EXPIRATION_IN_HOURS);

	await db.token.deleteMany({ where: { type: TokenType.RESET_PASSWORD, userId: user.id } });
	await db.token.create({
		data: {
			user: { connect: { id: user.id } },
			membership: { connect: { id: membership.id } },
			type: TokenType.RESET_PASSWORD,
			expiresAt,
			hashedToken,
			sentTo: user.email,
		},
	});

	await sendForgotPasswordEmail({
		to: user.email,
		token,
		userName: user.fullName,
	});
}
remixed v0 2022-05-14 10:22:06 +00:00			`import { type ActionFunction, json } from "@remix-run/node";`
			`import { type User, TokenType } from "@prisma/client";`

			`import db from "~/utils/db.server";`
			`import { type FormError, validate } from "~/utils/validation.server";`
			`import { sendForgotPasswordEmail } from "~/mailers/forgot-password-mailer.server";`
			`import { generateToken, hashToken } from "~/utils/token.server";`
			`import { ForgotPassword } from "../validations";`

			`const RESET_PASSWORD_TOKEN_EXPIRATION_IN_HOURS = 24;`

			`type ForgotPasswordFailureActionData = { errors: FormError<typeof ForgotPassword>; submitted?: never };`
			`type ForgotPasswordSuccessfulActionData = { errors?: never; submitted: true };`
			`export type ForgotPasswordActionData = ForgotPasswordFailureActionData \| ForgotPasswordSuccessfulActionData;`

			`const action: ActionFunction = async ({ request }) => {`
			`const formData = Object.fromEntries(await request.formData());`
			`const validation = validate(ForgotPassword, formData);`
			`if (validation.errors) {`
			`return json<ForgotPasswordFailureActionData>({ errors: validation.errors });`
			`}`

			`const { email } = validation.data;`
			`const user = await db.user.findUnique({ where: { email: email.toLowerCase() } });`

			`// always wait the same amount of time so attackers can't tell the difference whether a user is found`
			`await Promise.all([updatePassword(user), new Promise((resolve) => setTimeout(resolve, 750))]);`

			`// return the same result whether a password reset email was sent or not`
			`return json<ForgotPasswordSuccessfulActionData>({ submitted: true });`
			`};`

			`export default action;`

			`async function updatePassword(user: User \| null) {`
			`const membership = await db.membership.findFirst({ where: { userId: user?.id } });`
			`if (!user \|\| !membership) {`
			`return;`
			`}`

			`const token = generateToken();`
			`const hashedToken = hashToken(token);`
			`const expiresAt = new Date();`
			`expiresAt.setHours(expiresAt.getHours() + RESET_PASSWORD_TOKEN_EXPIRATION_IN_HOURS);`

			`await db.token.deleteMany({ where: { type: TokenType.RESET_PASSWORD, userId: user.id } });`
			`await db.token.create({`
			`data: {`
			`user: { connect: { id: user.id } },`
			`membership: { connect: { id: membership.id } },`
			`type: TokenType.RESET_PASSWORD,`
			`expiresAt,`
			`hashedToken,`
			`sentTo: user.email,`
			`},`
			`});`

			`await sendForgotPasswordEmail({`
			`to: user.email,`
			`token,`
			`userName: user.fullName,`
			`});`
			`}`