fix(core): Use JWT as reset password token

packages/cli/src/auth/jwt.ts

@@ -38,7 +38,6 @@ export function issueJWT(user: User): JwtToken {
 
 	const signedToken = jwt.sign(payload, config.getEnv('userManagement.jwtSecret'), {
 		expiresIn: expiresIn / 1000 /* in seconds */,
-		algorithm: 'HS256',
 	});
 
 	return {

packages/cli/src/controllers/passwordReset.controller.ts

@@ -28,6 +28,8 @@ import { UserService } from '@/user/user.service';
 import { License } from '@/License';
 import { Container } from 'typedi';
 import { RESPONSE_ERROR_MESSAGES } from '@/constants';
+import jwt, { TokenExpiredError } from 'jsonwebtoken';
+import config from '@/config';
 
 @RestController()
 export class PasswordResetController {
@@ -175,48 +177,61 @@ export class PasswordResetController {
 	 */
 	@Get('/resolve-password-token')
 	async resolvePasswordToken(req: PasswordResetRequest.Credentials) {
-		const { token: resetPasswordToken, userId: id } = req.query;
+		const { token: resetPasswordToken } = req.query;
 
-		if (!resetPasswordToken || !id) {
+		if (!resetPasswordToken) {
 			this.logger.debug(
-				'Request to resolve password token failed because of missing password reset token or user ID in query string',
+				'Request to resolve password token failed because of missing password reset token',
 				{
 					queryString: req.query,
 				},
 			);
 			throw new BadRequestError('');
 		}
 
-		// Timestamp is saved in seconds
-		const currentTimestamp = Math.floor(Date.now() / 1000);
+		let decodedToken: jwt.JwtPayload;
+
+		try {
+			decodedToken = jwt.verify(resetPasswordToken, config.getEnv('userManagement.jwtSecret'), {
+				ignoreExpiration: false,
+			}) as jwt.JwtPayload;
+		} catch (e) {
+			if (e instanceof TokenExpiredError) {
+				this.logger.debug('Reset password token expired', {
+					resetPasswordToken,
+				});
+				throw new NotFoundError('');
+			}
+			throw new BadRequestError('');
+		}
 
 		const user = await this.userRepository.findOne({
 			where: {
-				id,
-				resetPasswordToken,
-				resetPasswordTokenExpiration: MoreThanOrEqual(currentTimestamp),
+				id: decodedToken.id,
 			},
 			relations: ['globalRole'],
 		});
+
 		if (!user?.isOwner && !Container.get(License).isWithinUsersLimit()) {
 			this.logger.debug(
 				'Request to resolve password token failed because the user limit was reached',
-				{ userId: id },
+				{ userId: user.id },
 			);
 			throw new UnauthorizedError(RESPONSE_ERROR_MESSAGES.USERS_QUOTA_REACHED);
 		}
+
 		if (!user) {
 			this.logger.debug(
-				'Request to resolve password token failed because no user was found for the provided user ID and reset password token',
+				'Request to resolve password token failed because no user was found for the provided user ID',
 				{
-					userId: id,
+					userId: decodedToken.sub,
 					resetPasswordToken,
 				},
 			);
 			throw new NotFoundError('');
 		}
 
-		this.logger.info('Reset-password token resolved successfully', { userId: id });
+		this.logger.info('Reset-password token resolved successfully', { userId: user.id });
 		void this.internalHooks.onUserPasswordResetEmailClick({ user });
 	}
 
@@ -225,9 +240,9 @@ export class PasswordResetController {
 	 */
 	@Post('/change-password')
 	async changePassword(req: PasswordResetRequest.NewPassword, res: Response) {
-		const { token: resetPasswordToken, userId, password } = req.body;
+		const { token: resetPasswordToken, password } = req.body;
 
-		if (!resetPasswordToken || !userId || !password) {
+		if (!resetPasswordToken || !password) {
 			this.logger.debug(
 				'Request to change password failed because of missing user ID or password or reset password token in payload',
 				{
@@ -239,23 +254,31 @@ export class PasswordResetController {
 
 		const validPassword = validatePassword(password);
 
-		// Timestamp is saved in seconds
-		const currentTimestamp = Math.floor(Date.now() / 1000);
+		let decodedToken: jwt.JwtPayload;
+
+		try {
+			decodedToken = jwt.verify(resetPasswordToken, config.getEnv('userManagement.jwtSecret'), {
+				ignoreExpiration: false,
+			}) as jwt.JwtPayload;
+		} catch (e) {
+			if (e instanceof TokenExpiredError) {
+				this.logger.debug('Reset password token expired', {
+					resetPasswordToken,
+				});
+				throw new NotFoundError('');
+			}
+			throw new BadRequestError('');
+		}
 
 		const user = await this.userRepository.findOne({
-			where: {
-				id: userId,
-				resetPasswordToken,
-				resetPasswordTokenExpiration: MoreThanOrEqual(currentTimestamp),
-			},
+			where: { id: decodedToken.sub },
 			relations: ['authIdentities'],
 		});
 
 		if (!user) {
 			this.logger.debug(
-				'Request to resolve password token failed because no user was found for the provided user ID and reset password token',
+				'Request to resolve password token failed because no user was found for the provided user ID',
 				{
-					userId,
 					resetPasswordToken,
 				},
 			);
@@ -264,13 +287,11 @@ export class PasswordResetController {
 
 		const passwordHash = await hashPassword(validPassword);
 
-		await this.userRepository.update(userId, {
+		await this.userRepository.update(user.id, {
 			password: passwordHash,
-			resetPasswordToken: null,
-			resetPasswordTokenExpiration: null,
 		});
 
-		this.logger.info('User password updated successfully', { userId });
+		this.logger.info('User password updated successfully', { userId: user.id });
 
 		await issueCookie(res, user);
 

packages/cli/src/user/user.service.ts

@@ -5,6 +5,8 @@ import * as Db from '@/Db';
 import { User } from '@db/entities/User';
 import type { IUserSettings } from 'n8n-workflow';
 import { getInstanceBaseUrl } from '../UserManagement/UserManagementHelper';
+import jwt from 'jsonwebtoken';
+import config from '@/config';
 
 export class UserService {
 	static async get(where: FindOptionsWhere<User>): Promise<User | null> {
@@ -26,15 +28,13 @@ export class UserService {
 	}
 
 	static async generatePasswordResetUrl(user: User): Promise<string> {
-		user.resetPasswordToken = uuid();
-		const { id, resetPasswordToken } = user;
-		const resetPasswordTokenExpiration = Math.floor(Date.now() / 1000) + 7200;
-		await Db.collections.User.update(id, { resetPasswordToken, resetPasswordTokenExpiration });
-
+		const { id } = user;
+		const token = jwt.sign({ sub: id }, config.getEnv('userManagement.jwtSecret'), {
+			expiresIn: '1d',
+		});
 		const baseUrl = getInstanceBaseUrl();
 		const url = new URL(`${baseUrl}/change-password`);
-		url.searchParams.append('userId', id);
-		url.searchParams.append('token', resetPasswordToken);
+		url.searchParams.append('token', token);
 		return url.toString();
 	}
 }

packages/cli/test/integration/passwordReset.api.test.ts

@@ -10,11 +10,13 @@ import {
 	randomEmail,
 	randomInvalidPassword,
 	randomName,
+	randomString,
 	randomValidPassword,
 } from './shared/random';
 import * as testDb from './shared/testDb';
 import { setCurrentAuthenticationMethod } from '@/sso/ssoHelpers';
 import { ExternalHooks } from '@/ExternalHooks';
+import jwt from 'jsonwebtoken';
 
 jest.mock('@/UserManagement/email/NodeMailer');
 
@@ -28,6 +30,7 @@ const testServer = utils.setupTestServer({ endpointGroups: ['passwordReset'] });
 beforeAll(async () => {
 	globalOwnerRole = await testDb.getGlobalOwnerRole();
 	globalMemberRole = await testDb.getGlobalMemberRole();
+	config.set('userManagement.jwtSecret', randomString(5, 10));
 });
 
 beforeEach(async () => {
@@ -51,10 +54,6 @@ describe('POST /forgot-password', () => {
 
 				expect(response.statusCode).toBe(200);
 				expect(response.body).toEqual({});
-
-				const user = await Db.collections.User.findOneByOrFail({ email: payload.email });
-				expect(user.resetPasswordToken).toBeDefined();
-				expect(user.resetPasswordTokenExpiration).toBeGreaterThan(Math.ceil(Date.now() / 1000));
 			}),
 		);
 	});
@@ -66,9 +65,6 @@ describe('POST /forgot-password', () => {
 			.post('/forgot-password')
 			.send({ email: owner.email })
 			.expect(500);
-
-		const storedOwner = await Db.collections.User.findOneByOrFail({ email: owner.email });
-		expect(storedOwner.resetPasswordToken).toBeNull();
 	});
 
 	test('should fail if SAML is authentication method', async () => {
@@ -84,8 +80,6 @@ describe('POST /forgot-password', () => {
 			.send({ email: member.email })
 			.expect(403);
 
-		const storedOwner = await Db.collections.User.findOneByOrFail({ email: member.email });
-		expect(storedOwner.resetPasswordToken).toBeNull();
 		await setCurrentAuthenticationMethod('email');
 	});
 
@@ -100,8 +94,6 @@ describe('POST /forgot-password', () => {
 		expect(response.statusCode).toBe(200);
 		expect(response.body).toEqual({});
 
-		const storedOwner = await Db.collections.User.findOneByOrFail({ email: owner.email });
-		expect(storedOwner.resetPasswordToken).not.toBeNull();
 		await setCurrentAuthenticationMethod('email');
 	});
 
@@ -119,9 +111,6 @@ describe('POST /forgot-password', () => {
 		for (const invalidPayload of invalidPayloads) {
 			const response = await testServer.authlessAgent.post('/forgot-password').send(invalidPayload);
 			expect(response.statusCode).toBe(400);
-
-			const storedOwner = await Db.collections.User.findOneByOrFail({ email: owner.email });
-			expect(storedOwner.resetPasswordToken).toBeNull();
 		}
 	});
 
@@ -142,13 +131,10 @@ describe('GET /resolve-password-token', () => {
 	});
 
 	test('should succeed with valid inputs', async () => {
-		const resetPasswordToken = uuid();
-		const resetPasswordTokenExpiration = Math.floor(Date.now() / 1000) + 100;
-
-		await Db.collections.User.update(owner.id, {
-			resetPasswordToken,
-			resetPasswordTokenExpiration,
-		});
+		const resetPasswordToken = jwt.sign(
+			{ sub: owner.id },
+			config.getEnv('userManagement.jwtSecret'),
+		);
 
 		const response = await testServer.authlessAgent
 			.get('/resolve-password-token')
@@ -172,21 +158,21 @@ describe('GET /resolve-password-token', () => {
 	});
 
 	test('should fail if user is not found', async () => {
+		const token = jwt.sign({ sub: 'test' }, config.getEnv('userManagement.jwtSecret'));
+
 		const response = await testServer.authlessAgent
 			.get('/resolve-password-token')
-			.query({ userId: owner.id, token: uuid() });
+			.query({ userId: owner.id, token });
 
 		expect(response.statusCode).toBe(404);
 	});
 
 	test('should fail if token is expired', async () => {
-		const resetPasswordToken = uuid();
-		const resetPasswordTokenExpiration = Math.floor(Date.now() / 1000) - 1;
-
-		await Db.collections.User.update(owner.id, {
-			resetPasswordToken,
-			resetPasswordTokenExpiration,
-		});
+		const resetPasswordToken = jwt.sign(
+			{ sub: owner.id },
+			config.getEnv('userManagement.jwtSecret'),
+			{ expiresIn: '-1h' },
+		);
 
 		const response = await testServer.authlessAgent
 			.get('/resolve-password-token')
@@ -197,17 +183,13 @@ describe('GET /resolve-password-token', () => {
 });
 
 describe('POST /change-password', () => {
-	const resetPasswordToken = uuid();
 	const passwordToStore = randomValidPassword();
 
 	test('should succeed with valid inputs', async () => {
-		const resetPasswordTokenExpiration = Math.floor(Date.now() / 1000) + 100;
-
-		await Db.collections.User.update(owner.id, {
-			resetPasswordToken,
-			resetPasswordTokenExpiration,
-		});
-
+		const resetPasswordToken = jwt.sign(
+			{ sub: owner.id },
+			config.getEnv('userManagement.jwtSecret'),
+		);
 		const response = await testServer.authlessAgent.post('/change-password').send({
 			token: resetPasswordToken,
 			userId: owner.id,
@@ -234,12 +216,10 @@ describe('POST /change-password', () => {
 	});
 
 	test('should fail with invalid inputs', async () => {
-		const resetPasswordTokenExpiration = Math.floor(Date.now() / 1000) + 100;
-
-		await Db.collections.User.update(owner.id, {
-			resetPasswordToken,
-			resetPasswordTokenExpiration,
-		});
+		const resetPasswordToken = jwt.sign(
+			{ sub: owner.id },
+			config.getEnv('userManagement.jwtSecret'),
+		);
 
 		const invalidPayloads = [
 			{ token: uuid() },
@@ -272,12 +252,11 @@ describe('POST /change-password', () => {
 	});
 
 	test('should fail when token has expired', async () => {
-		const resetPasswordTokenExpiration = Math.floor(Date.now() / 1000) - 1;
-
-		await Db.collections.User.update(owner.id, {
-			resetPasswordToken,
-			resetPasswordTokenExpiration,
-		});
+		const resetPasswordToken = jwt.sign(
+			{ sub: owner.id },
+			config.getEnv('userManagement.jwtSecret'),
+			{ expiresIn: '-1h' },
+		);
 
 		const response = await testServer.authlessAgent.post('/change-password').send({
 			token: resetPasswordToken,