feat(#9547): add password change feature on first time login

api/resources/translations/messages-en.properties

@@ -400,6 +400,12 @@ bulkdelete.confirm.title = Delete record?
 bulkdelete.confirm.title.plural = Delete selected records?
 call = Call
 case_id = Case ID
+change.password.confirm.password = Confirm password
+change.password.hint = Use uppercase letters, numbers, and special characters.
+change.password.new.password = New password
+change.password.required = Password and Confirm Password fields are required
+change.password.submit = Change password
+change.password.title = Change your password
 child_birth_date = Child birth date
 child_birth_outcome = Child birth outcome
 child_birth_weight = Child birth weight
@@ -966,6 +972,7 @@ partner.supporting = Supporting partners
 partner.tab.partners = Partners
 password.incorrect = Password is not correct.
 password.length.minimum = The password must be at least {{minimum}} characters long.
+password.must.match = Passwords and confirm password must match
 password.update = Update password
 password.weak = The password is too easy to guess. Include a range of characters to make it more complex.
 patient\ id\ not\ found\ response = Send the following response message if the validations pass but the Medic ID is not located.

api/resources/translations/messages-es.properties

@@ -400,6 +400,12 @@ bulkdelete.confirm.title = ¿Eliminar el registro?
 bulkdelete.confirm.title.plural = ¿Eliminar registros seleccionados?
 call = Llamar
 case_id = Identificación del caso
+change.password.confirm.password = Confirmar contraseña
+change.password.hint = Utilice letras mayúsculas, números y caracteres especiales.
+change.password.new.password = Nueva contraseña
+change.password.required = Los campos Contraseña y Confirmar contraseña son obligatorios
+change.password.submit = Cambiar la contraseña
+change.password.title = Cambiar contraseña
 child_birth_date = Fecha de nacimiento del niño
 child_birth_outcome = Resultado del nacimiento del niño
 child_birth_weight = Peso del niño al nacer
@@ -966,6 +972,7 @@ partner.supporting = Socios que está apoyando
 partner.tab.partners = Socios
 password.incorrect = La contraseña no es correcta.
 password.length.minimum = La contraseña debe tener al menos {{minimum}} caracteres.
+password.must.match = Las contraseñas y la contraseña de confirmación deben coincidir
 password.update = Actualizar contraseña
 password.weak = La contraseña es demasiado fácil de adivinar. Incluya más variedad de caracteres para hacerlo más complejo.
 patient\ id\ not\ found\ response = Enviar el siguiente mensaje de respuesta, sí las validaciones pasan correctamente pero no se encontró el Medic ID.

api/resources/translations/messages-fr.properties

@@ -966,6 +966,7 @@ partner.supporting = Partenaires de soutien
 partner.tab.partners = Partenaires
 password.incorrect = Mot de passe incorrect
 password.length.minimum = Le mot de passe doit être au moins {{minimum}} caractères.
+password.must.match = Les mots de passe et le mot de passe de confirmation doivent correspondre
 password.update = Mettre à jour mot de passe
 password.weak = Le mot de passe est trop facile à deviner. Inclure au moins une lettre majuscule, un chiffre et un caractère spécial.
 patient\ id\ not\ found\ response = Envoyer cette réponse si les validations passent, mais l'ID du patient n'est pas retrouvé.

api/resources/translations/messages-id.properties

@@ -884,6 +884,7 @@ partner.supporting =
 partner.tab.partners = 
 password.incorrect = Kata sandi tidak benar.
 password.length.minimum = Kata sandi harus setidaknya {{minimum}} karakter.
+password.must.match = Kata sandi dan konfirmasi kata sandi harus cocok
 password.update = Perbaharui Kata Sandi
 password.weak = Kata sandinya terlalu mudah. Sertakan setidaknya 1 huruf besar, 1 angka, dan 1 karakter khusus.
 patient\ id\ not\ found\ response = Kirim pesan respon ini bila lolos validasi tetapi Medic ID tidak ditemukan

api/resources/translations/messages-sw.properties

@@ -402,6 +402,12 @@ bulkdelete.confirm.title = Futa rekodi?
 bulkdelete.confirm.title.plural = Ungependa kufuta rekodi ulizochagua?
 call = Piga simu
 case_id = Kitambulisho cha kesi
+change.password.confirm.password = Thibitisha nenosiri
+change.password.hint = Tumia herufi kubwa, nambari na herufi maalum.
+change.password.new.password = Nenosiri mpya
+change.password.required = Nenosiri na uthibitisho wa nenosiri zinahitajika
+change.password.submit = Badilisha nenosiri
+change.password.title = Badilisha nenosiri lako
 child_birth_date = Tarehe ya kuzaliwa mtoto
 child_birth_outcome = Matokeo ya mtoto mzaliwa
 child_birth_weight = Uzani wa mtoto mzaliwa
@@ -966,6 +972,7 @@ partner.supporting = Washirika wanaounga mkono
 partner.tab.partners = Washirika
 password.incorrect = Nenosiri si sahihi
 password.length.minimum = Nenosiri inapaswa kuwa na wahusika {{minimum}} kwenda juu
+password.must.match = Nenosiri na uthibitisho wa nenosiri lazima zilingane
 password.update = Badilisha nenosiri
 password.weak = Nywila ni rahisi sana nadhani. Jumuisha anuwai ya herufi ili kuifanya iwe ngumu zaidi.
 patient\ id\ not\ found\ response = Tuma ujumbe wa majibu ufuatao kama validations zimepitishwa lakini ID ya mgonjwa haiko

api/src/auth.js

@@ -59,7 +59,12 @@ module.exports = {
       .then(auth => {
         if (auth?.userCtx?.name) {
           req.headers['X-Medic-User'] = auth.userCtx.name;
-          return auth.userCtx;
+          return db.users
+            .get(`org.couchdb.user:${auth.userCtx.name}`)
+            .then(user => ({
+              ...auth.userCtx,
+              password_change_required: !!user.password_change_required
+            }));
         }
         throw { code: 500, message: 'Failed to authenticate' };
       });

api/src/controllers/login.js

@@ -17,6 +17,9 @@ const translations = require('../translations');
 const template = require('../services/template');
 const rateLimitService = require('../services/rate-limit');
 const serverUtils = require('../server-utils');
+const passwordTester = require('simple-password-tester');
+
+const { PASSWORD_MINIMUM_LENGTH, PASSWORD_MINIMUM_SCORE } = require('@medic/user-management/src/users');
 
 const templates = {
   login: {
@@ -51,6 +54,30 @@ const templates = {
       'privacy.policy'
     ],
   },
+  passwordReset: {
+    file: path.join(__dirname, '..', 'templates', 'login', 'password-reset.html'),
+    translationStrings: [
+      'login.show_password',
+      'login.hide_password',
+      'change.password.title',
+      'change.password',
+      'change.password.hint',
+      'change.password.submit',
+      'change.password.new.password',
+      'change.password.confirm.password',
+      'change.password.required',
+      'password.weak',
+      'password.length.minimum',
+      'password.must.match'
+    ],
+  }
+};
+
+const skipPasswordChange = async (userCtx) => {
+  if (roles.isDbAdmin(userCtx)) {
+    return true;
+  }
+  return await auth.hasAllPermissions(userCtx, 'can_skip_password_change');
 };
 
 const getHomeUrl = userCtx => {
@@ -201,7 +228,9 @@ const setCookies = (req, res, sessionRes) => {
       cookie.setSession(res, sessionCookie);
       setUserCtxCookie(res, userCtx);
       // Delete login=force cookie
-      res.clearCookie('login');
+      if (!userCtx.password_change_required) {
+        cookie.clearCookie(res, 'login');
+      }
 
       return Promise.resolve()
         .then(() => {
@@ -210,10 +239,12 @@ const setCookies = (req, res, sessionRes) => {
           }
         })
         .then(() => {
-          const selectedLocale = req.body.locale
-            || config.get('locale');
+          const selectedLocale = req.body.locale || config.get('locale');
           cookie.setLocale(res, selectedLocale);
-          return getRedirectUrl(userCtx, req.body.redirect);
+          return {
+            userCtx,
+            redirectUrl: getRedirectUrl(userCtx, req.body.redirect),
+          };
         });
     })
     .catch(err => {
@@ -300,26 +331,71 @@ const renderLogin = (req) => {
   return render('login', req);
 };
 
+const renderPasswordReset = (req) => {
+  return render('passwordReset', req);
+};
+
+const validatePassword = (password, confirmPassword) => {
+  if (!password || !confirmPassword) {
+    return { isValid: false, error: 'required'};
+  }
+
+  if (password.length < PASSWORD_MINIMUM_LENGTH) {
+    return {
+      isValid: false,
+      error: 'short',
+      params: { minimum: PASSWORD_MINIMUM_LENGTH }
+    };
+  }
+
+  if (password !== confirmPassword) {
+    return { isValid: false, error: 'mismatch' };
+  }
+
+  if (passwordTester(password) < PASSWORD_MINIMUM_SCORE) {
+    return { isValid: false, error: 'weak' };
+  }
+
+  return { isValid: true };
+};
+
+const validateSession = async (req) => {
+  const sessionRes = await createSession(req);
+  if (sessionRes.statusCode !== 200) {
+    const error = new Error('Not logged in');
+    error.status = sessionRes.statusCode;
+    throw error;
+  }
+  return sessionRes;
+};
+
+const sendLoginErrorResponse = (e, res) => {
+  if (e.status === 401) {
+    return res.status(401).json({ error: e.error });
+  }
+  logger.error('Error logging in: %o', e);
+  return res.status(500).json({ error: 'Unexpected error logging in' });
+};
+
 const login = async (req, res) => {
   try {
-    const sessionRes = await createSession(req);
-    if (sessionRes.statusCode !== 200) {
-      res.status(sessionRes.statusCode).json({ error: 'Not logged in' });
-    } else {
-      const redirectUrl = await setCookies(req, res, sessionRes);
-      res.status(302).send(redirectUrl);
+    const sessionRes = await validateSession(req);
+    const { userCtx, redirectUrl } = await setCookies(req, res, sessionRes);
+
+    const redirectPasswordReset = !await skipPasswordChange(userCtx);
+    if (redirectPasswordReset){
+      return res.status(302).send('/medic/password-reset');
     }
+
+    return res.status(302).send(redirectUrl);
   } catch (e) {
-    if (e.status === 401) {
-      return res.status(401).json({ error: e.error });
-    }
-    logger.error('Error logging in: %o', e);
-    res.status(500).json({ error: 'Unexpected error logging in' });
+    return sendLoginErrorResponse(e, res);
   }
 };
 
 module.exports = {
   renderLogin,
+  renderPasswordReset,
 
   get: (req, res, next) => {
     return renderLogin(req)
@@ -328,6 +404,7 @@ module.exports = {
           'Link',
           '</login/style.css>; rel=preload; as=style, '
           + '</login/script.js>; rel=preload; as=script, '
+          + '</login/auth-utils.js>; rel=preload; as=script, '
           + '</login/lib-bowser.js>; rel=preload; as=script'
         );
         res.send(body);
@@ -355,6 +432,60 @@ module.exports = {
       });
   },
 
+  getPasswordReset: (req, res, next) => {
+    return renderPasswordReset(req)
+      .then(body => {
+        res.setHeader(
+          'Link',
+          '</login/style.css>; rel=preload; as=style, '
+              + '</login/auth-utils.js>; rel=preload; as=script, '
+              + '</login/password-reset.js>; rel=preload; as=script'
+        );
+        res.send(body);
+      })
+      .catch(next);
+  },
+  resetPassword: async (req, res) => {
+    const limited = await rateLimitService.isLimited(req);
+    if (limited) {
+      return serverUtils.rateLimited(req, res);
+    }
+
+    try {
+      const validation = validatePassword(req.body.password, req.body.confirmPassword);
+      if (!validation.isValid) {
+        return res.status(400).json({
+          error: `password${validation.error}`,
+          params: validation.params,
+        });
+      }
+      const userCtx = await auth.getUserCtx(req);
+      const user = await db.users.get(`org.couchdb.user:${userCtx.name}`);
+      user.password = req.body.password;
+      user.password_change_required = false;
+
+      await db.users.put(user);
+
+      cookie.clearCookie(res, 'login');
+      cookie.clearCookie(res, 'AuthSession');
+
+      req.body = {
+        ...req.body,
+        user: user.name,
+        password: req.body.password,
+        locale: req.body.locale,
+      };
+
+      const sessionRes = await createSessionRetry(req);
+      cookie.setPasswordUpdated(res);
+
+      const { redirectUrl } = await setCookies(req, res, sessionRes);
+      return res.status(302).send(redirectUrl);
+    } catch (err) {
+      logger.error('Error updating password: %o', err);
+      res.status(500).json({ error: 'Error updating password' });
+    }
+  },
   tokenGet: (req, res, next) => renderTokenLogin(req, res).catch(next),
   tokenPost: async (req, res, next) => {
     const limited = await rateLimitService.isLimited(req);

api/src/generate-service-worker.js

@@ -53,6 +53,10 @@ const getLoginPageContents = async () => {
   return await loginController.renderLogin();
 };
 
+const getPasswordResetPageContents = async () => {
+  return await loginController.renderPasswordReset();
+};
+
 const appendExtensionLibs = async (config) => {
   const libs = await extensionLibs.getAll();
   // cache this even if there are no libs so offline client knows there are no libs
@@ -99,6 +103,7 @@ const writeServiceWorkerFile = async () => {
     templatedURLs: {
       '/': ['webapp/index.html'], // Webapp's entry point
       '/medic/login': await getLoginPageContents(),
+      '/medic/password-reset': await getPasswordResetPageContents(),
       '/medic/_design/medic/_rewrite/': ['webapp/appcache-upgrade.html']
     },
     ignoreURLParametersMatching: [/redirect/, /username/],