Merge pull request #138 from kitcc-org/136-vld-pwd-upd-user

ユーザ更新時にパスワードのバリデーションをかける

Author: kimurash

api/bundle.yml

@@ -673,15 +673,21 @@ paths:
                 email:
                   type: string
                   format: email
-                password:
+                currentPassword:
+                  type: string
+                  format: password
+                  pattern: ^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]+$
+                  minLength: 8
+                newPassword:
                   type: string
                   format: password
                   pattern: ^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]+$
                   minLength: 8
             example:
               name: 比企谷八幡
               email: hikigaya@oregairu.com
-              password: passw0rd
+              currentPassword: passw0rd
+              newPassword: pa55word
       responses:
         '200':
           description: 情報の更新に成功した
@@ -1108,3 +1114,4 @@ components:
         id: 1
         name: 比企谷八幡
         email: hikigaya@oregairu.com
+        sessionToken: abcde12345

api/components/examples/user.yml

@@ -1,4 +1,5 @@
 value:
   id: 1
-  name: "比企谷八幡"
-  email: "hikigaya@oregairu.com"
+  name: '比企谷八幡'
+  email: 'hikigaya@oregairu.com'
+  sessionToken: 'abcde12345'

api/paths/user.yml

@@ -221,15 +221,21 @@ user:
               email:
                 type: string
                 format: email
-              password:
+              currentPassword:
+                type: string
+                format: password
+                pattern: ^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]+$
+                minLength: 8
+              newPassword:
                 type: string
                 format: password
                 pattern: ^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]+$
                 minLength: 8
           example:
             name: '比企谷八幡'
             email: 'hikigaya@oregairu.com'
-            password: 'passw0rd'
+            currentPassword: 'passw0rd'
+            newPassword: 'pa55word'
     responses:
       '200':
         description: 情報の更新に成功した

backend/src/api/user.ts

@@ -3,6 +3,7 @@ import { zValidator } from '@hono/zod-validator';
 import { and, asc, eq, inArray, like } from 'drizzle-orm';
 import { drizzle } from 'drizzle-orm/d1';
 import { Hono } from 'hono';
+import { getCookie } from 'hono/cookie';
 import {
 	createUserBody,
 	deleteUserParams,
@@ -274,14 +275,66 @@ app.patch(
 		const param = ctx.req.valid('param');
 		const id = parseInt(param['userId']);
 
-		const user = ctx.req.valid('json');
+		const userIdCookie = getCookie(ctx, 'user_id', 'secure');
+		const userId = Number(userIdCookie);
+
+		if (id !== userId) {
+			// ログインユーザと更新対象のユーザが異なる
+			return ctx.json(
+				{
+					message: 'Unauthorized',
+				},
+				401,
+			);
+		}
+
+		const newUser = ctx.req.valid('json');
 
 		const db = drizzle(ctx.env.DB);
-		let updatedBook: SelectUser[] = [];
+
+		if (newUser.newPassword) {
+			// 新しいパスワードが指定されている
+			if (!newUser.currentPassword) {
+				// 現在のパスワードが指定されていない
+				return ctx.json(
+					{
+						message: 'Current password is required to update password',
+					},
+					400,
+				);
+			}
+
+			const user = await db
+				.select()
+				.from(userTable)
+				.where(eq(userTable.id, id));
+
+			if (user.length === 0) {
+				return ctx.notFound();
+			}
+
+			const digest = await generateHash(newUser.currentPassword);
+			if (digest != user[0].passwordDigest) {
+				return ctx.json(
+					{
+						message: 'Current password is incorrect',
+					},
+					400,
+				);
+			}
+		}
+
+		let updatedUser: SelectUser[] = [];
 		try {
-			updatedBook = await db
+			updatedUser = await db
 				.update(userTable)
-				.set(user)
+				.set({
+					name: newUser.name,
+					email: newUser.email,
+					passwordDigest: newUser.newPassword
+						? await generateHash(newUser.newPassword)
+						: undefined,
+				})
 				.where(eq(userTable.id, id))
 				.returning();
 		} catch (err) {
@@ -295,11 +348,11 @@ app.patch(
 			}
 		}
 
-		if (updatedBook.length === 0) {
+		if (updatedUser.length === 0) {
 			return ctx.notFound();
 		}
 
-		const result = updateUserResponse.safeParse(updatedBook[0]);
+		const result = updateUserResponse.safeParse(updatedUser[0]);
 		if (!result.success) {
 			console.error(result.error);
 			return ctx.json(
@@ -342,12 +395,12 @@ app.delete(
 		const id = parseInt(param['userId']);
 
 		const db = drizzle(ctx.env.DB);
-		const deletedBook = await db
+		const deletedUser = await db
 			.delete(userTable)
 			.where(eq(userTable.id, id))
 			.returning();
 
-		if (deletedBook.length === 0) {
+		if (deletedUser.length === 0) {
 			return ctx.notFound();
 		}
 

backend/src/schema.ts

@@ -261,15 +261,19 @@ export const updateUserParams = zod.object({
   "userId": zod.string().regex(updateUserPathUserIdRegExp)
 })
 
-export const updateUserBodyPasswordMin = 8;
+export const updateUserBodyCurrentPasswordMin = 8;
 
-export const updateUserBodyPasswordRegExp = new RegExp('^(?=.*[A-Za-z])(?=.*\\d)[A-Za-z\\d]+$');
+export const updateUserBodyCurrentPasswordRegExp = new RegExp('^(?=.*[A-Za-z])(?=.*\\d)[A-Za-z\\d]+$');
+export const updateUserBodyNewPasswordMin = 8;
+
+export const updateUserBodyNewPasswordRegExp = new RegExp('^(?=.*[A-Za-z])(?=.*\\d)[A-Za-z\\d]+$');
 
 
 export const updateUserBody = zod.object({
   "name": zod.string().optional(),
   "email": zod.string().email().optional(),
-  "password": zod.string().min(updateUserBodyPasswordMin).regex(updateUserBodyPasswordRegExp).optional()
+  "currentPassword": zod.string().min(updateUserBodyCurrentPasswordMin).regex(updateUserBodyCurrentPasswordRegExp).optional(),
+  "newPassword": zod.string().min(updateUserBodyNewPasswordMin).regex(updateUserBodyNewPasswordRegExp).optional()
 })
 
 export const updateUserResponse = zod.object({

backend/test/api/user.test.ts

@@ -113,12 +113,12 @@ describe('PATCH /users/:userId', () => {
 		const credentials = {
 			name: '比企谷八幡',
 			email: 'hikigaya@oregairu.com',
-			password: 'passw0rd',
+			currentPassword: 'passw0rd',
+			newPassword: 'pa55word',
 		};
 
-		const users = await db.select().from(userTable);
 		const response = await app.request(
-			`/users/${users[0].id}`,
+			`/users/${currentUser.id}`,
 			{
 				method: 'PATCH',
 				headers: {
@@ -139,9 +139,9 @@ describe('PATCH /users/:userId', () => {
 		const updatedUser = await db
 			.select()
 			.from(userTable)
-			.where(eq(userTable.id, users[0].id));
-		const { password, ...rest } = credentials;
-		expect(updatedUser[0]).toMatchObject(rest);
+			.where(eq(userTable.id, currentUser.id!));
+		expect(updatedUser[0].name).toBe(credentials.name);
+		expect(updatedUser[0].email).toBe(credentials.email);
 	});
 
 	loggedInTest(
@@ -172,7 +172,7 @@ describe('PATCH /users/:userId', () => {
 		'should return 400 when name is not a string',
 		async ({ currentUser, sessionToken }) => {
 			const response = await app.request(
-				`/users/1`,
+				`/users/${currentUser.id}`,
 				{
 					method: 'PATCH',
 					headers: {
@@ -196,7 +196,7 @@ describe('PATCH /users/:userId', () => {
 		'should return 400 when email is invalid',
 		async ({ currentUser, sessionToken }) => {
 			const response = await app.request(
-				`/users/1`,
+				`/users/${currentUser.id}`,
 				{
 					method: 'PATCH',
 					headers: {
@@ -206,7 +206,7 @@ describe('PATCH /users/:userId', () => {
 							`__Secure-session_token=${sessionToken}`,
 						].join('; '),
 					},
-					// メールアドレスに文字列以外を指定する
+					// メールアドレスが形式に合っていない
 					body: JSON.stringify({ email: 'user@invalid' }),
 				},
 				env,
@@ -220,14 +220,14 @@ describe('PATCH /users/:userId', () => {
 		'should return 400 when password is invalid',
 		async ({ currentUser, sessionToken }) => {
 			const invalidPassword = [
-				'abc123', // 文字数が8未満
+				'abc123', // 文字数が8文字未満
 				'12345678', // 英字が含まれていない
 				'password', // 数字が含まれていない
 			];
 
 			for (const password of invalidPassword) {
 				const response = await app.request(
-					`/users/1`,
+					`/users/${currentUser.id}`,
 					{
 						method: 'PATCH',
 						headers: {
@@ -238,7 +238,7 @@ describe('PATCH /users/:userId', () => {
 							].join('; '),
 						},
 						// パスワードに文字列以外を指定する
-						body: JSON.stringify({ password: 1 }),
+						body: JSON.stringify({ password: password }),
 					},
 					env,
 				);
@@ -249,12 +249,10 @@ describe('PATCH /users/:userId', () => {
 	);
 
 	loggedInTest(
-		'should return 400 when violate email unique constraint',
+		'should return 400 when current password is incorrect',
 		async ({ currentUser, sessionToken }) => {
-			const users = await db.select().from(userTable);
-
 			const response = await app.request(
-				`/users/${users[1].id}`,
+				`/users/${currentUser.id}`,
 				{
 					method: 'PATCH',
 					headers: {
@@ -264,8 +262,10 @@ describe('PATCH /users/:userId', () => {
 							`__Secure-session_token=${sessionToken}`,
 						].join('; '),
 					},
-					// 既に存在するメールアドレスを指定する
-					body: JSON.stringify({ email: users[0].email }),
+					body: JSON.stringify({
+						currentPassword: 'abcd1234',
+						newPassword: 'pa55word',
+					}),
 				},
 				env,
 			);
@@ -274,25 +274,13 @@ describe('PATCH /users/:userId', () => {
 		},
 	);
 
-	it('should return 401 when not logged in', async () => {
-		// prettier-ignore
-		const response = await app.request(
-			`/users/1`,
-			{
-				method: 'PATCH',
-				body: JSON.stringify({ name: '比企谷八幡' }),
-			}
-		);
-
-		expect(response.status).toBe(401);
-	});
-
 	loggedInTest(
-		'should return 404 when user is not found',
+		'should return 400 when violate email unique constraint',
 		async ({ currentUser, sessionToken }) => {
+			const users = await db.select().from(userTable);
+
 			const response = await app.request(
-				// 存在しないuserIdを指定する
-				`/users/100`,
+				`/users/${currentUser.id}`,
 				{
 					method: 'PATCH',
 					headers: {
@@ -302,14 +290,28 @@ describe('PATCH /users/:userId', () => {
 							`__Secure-session_token=${sessionToken}`,
 						].join('; '),
 					},
-					body: JSON.stringify({ name: 'username' }),
+					// 既に存在するメールアドレスを指定する
+					body: JSON.stringify({ email: users[0].email }),
 				},
 				env,
 			);
 
-			expect(response.status).toBe(404);
+			expect(response.status).toBe(400);
 		},
 	);
+
+	it('should return 401 when not logged in', async () => {
+		// prettier-ignore
+		const response = await app.request(
+			`/users/1`,
+			{
+				method: 'PATCH',
+				body: JSON.stringify({ name: '比企谷八幡' }),
+			}
+		);
+
+		expect(response.status).toBe(401);
+	});
 });
 
 describe('DELETE /users/:userId', () => {

frontend/client/client.schemas.ts

@@ -86,13 +86,18 @@ export type DeleteUser204 = {
 };
 
 export type UpdateUserBody = {
+  /**
+   * @minLength 8
+   * @pattern ^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]+$
+   */
+  currentPassword?: string;
   email?: string;
   name?: string;
   /**
    * @minLength 8
    * @pattern ^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]+$
    */
-  password?: string;
+  newPassword?: string;
 };
 
 export type DeleteUsersBody = {