Merge pull request #481 from adithyadinesh0412/develop

Captcha and otp security changes
ELEVATE-Project · Apr 3, 2024 · 504b68a · 504b68a
2 parents 80e88bb + ddd4c1f
commit 504b68a
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 9 deletions.
diff --git a/src/constants/common.js b/src/constants/common.js
@@ -91,5 +91,5 @@ module.exports = {
 	DELETED_STATUS: 'DELETED',
 	DEFAULT_ORG_VISIBILITY: 'PUBLIC',
 	ROLE_TYPE_NON_SYSTEM: 0,
-	captchaEnabledAPIs: ['/user/v1/account/login', '/user/v1/account/create', '/user/v1/account/resetPassword'],
+	captchaEnabledAPIs: ['/user/v1/account/login', '/user/v1/account/generateOtp', '/user/v1/account/registrationOtp'],
 }
diff --git a/src/services/account.js b/src/services/account.js
@@ -838,6 +838,15 @@ module.exports = class AccountHelper {
 		try {
 			const plaintextEmailId = bodyData.email.toLowerCase()
 			const encryptedEmailId = emailEncryption.encrypt(plaintextEmailId)
+
+			const redisData = await utilsHelper.redisGet(encryptedEmailId)
+			if (!redisData || redisData.otp != bodyData.otp) {
+				return responses.failureResponse({
+					message: 'RESET_OTP_INVALID',
+					statusCode: httpStatusCode.bad_request,
+					responseCode: 'CLIENT_ERROR',
+				})
+			}
 			const userCredentials = await UserCredentialQueries.findOne({
 				email: encryptedEmailId,
 				password: {
@@ -876,14 +885,6 @@ module.exports = class AccountHelper {
 			}
 			user.user_roles = roles
 
-			const redisData = await utilsHelper.redisGet(encryptedEmailId)
-			if (!redisData || redisData.otp != bodyData.otp) {
-				return responses.failureResponse({
-					message: 'RESET_OTP_INVALID',
-					statusCode: httpStatusCode.bad_request,
-					responseCode: 'CLIENT_ERROR',
-				})
-			}
 			const isPasswordSame = bcryptJs.compareSync(bodyData.password, userCredentials.password)
 			if (isPasswordSame) {
 				return responses.failureResponse({