feat(#9547): add password change feature on first time login

api/src/controllers/login.js

@@ -51,6 +51,20 @@ const templates = {
       'privacy.policy'
     ],
   },
+  passwordReset: {
+    file: path.join(__dirname, '..', 'templates', 'login', 'password-reset.html'),
+    translationStrings: [
+      'login',
+      'Password',
+      'privacy.policy'
+    ],
+  }
+};
+
+let password_change_required = true;
+
+const checkPasswordChange = async (userCtx) => {
+  return await auth.hasAllPermissions(userCtx, 'can_change_password_first_login');
 };
 
 const getHomeUrl = userCtx => {
@@ -300,15 +314,27 @@ const renderLogin = (req) => {
   return render('login', req);
 };
 
+const renderPasswordReset = (req) => {
+  return render('passwordReset', req);
+}
+
 const login = async (req, res) => {
   try {
     const sessionRes = await createSession(req);
     if (sessionRes.statusCode !== 200) {
       res.status(sessionRes.statusCode).json({ error: 'Not logged in' });
-    } else {
-      const redirectUrl = await setCookies(req, res, sessionRes);
-      res.status(302).send(redirectUrl);
     }
+    const sessionCookie = getSessionCookie(sessionRes);
+    const options = { headers: { Cookie: sessionCookie } };
+    const userCtx = await getUserCtxRetry(options);
+    await setCookies(req, res, sessionRes);
+
+    const needsPasswordChange = await checkPasswordChange(userCtx);
+    if (needsPasswordChange && password_change_required) {
+      return res.status(302).send('/medic/password-reset');
+    }
+    const redirectUrl = getRedirectUrl(userCtx, req.body.redirect);
+    res.status(302).send(redirectUrl);
   } catch (e) {
     if (e.status === 401) {
       return res.status(401).json({ error: e.error });
@@ -320,6 +346,7 @@ const login = async (req, res) => {
 
 module.exports = {
   renderLogin,
+  renderPasswordReset,
 
   get: (req, res, next) => {
     return renderLogin(req)
@@ -355,6 +382,17 @@ module.exports = {
       });
   },
 
+  passwordResetGet: (req, res, next) => {
+    return renderPasswordReset(req)
+        .then(body => {
+          res.setHeader(
+              'Link',
+              '</login/style.css>; rel=preload; as=style, '
+          );
+          res.send(body);
+        })
+        .catch(next);
+  },
   tokenGet: (req, res, next) => renderTokenLogin(req, res).catch(next),
   tokenPost: async (req, res, next) => {
     const limited = await rateLimitService.isLimited(req);

api/src/generate-service-worker.js

@@ -53,6 +53,10 @@ const getLoginPageContents = async () => {
   return await loginController.renderLogin();
 };
 
+const getPasswordResetPageContents = async () => {
+  return await loginController.renderPasswordReset();
+}
+
 const appendExtensionLibs = async (config) => {
   const libs = await extensionLibs.getAll();
   // cache this even if there are no libs so offline client knows there are no libs
@@ -99,6 +103,7 @@ const writeServiceWorkerFile = async () => {
     templatedURLs: {
       '/': ['webapp/index.html'], // Webapp's entry point
       '/medic/login': await getLoginPageContents(),
+      '/medic/password-reset': await getPasswordResetPageContents(),
       '/medic/_design/medic/_rewrite/': ['webapp/appcache-upgrade.html']
     },
     ignoreURLParametersMatching: [/redirect/, /username/],

api/src/routing.js

@@ -290,6 +290,7 @@ app.get(routePrefix + 'login', login.get);
 app.get(routePrefix + 'login/identity', login.getIdentity);
 app.postJson(routePrefix + 'login', login.post);
 app.get(routePrefix + 'login/token/:token?', login.tokenGet);
+app.get(routePrefix + 'password-reset', login.passwordResetGet);
 app.postJson(routePrefix + 'login/token/:token?', login.tokenPost);
 app.get(routePrefix + 'privacy-policy', privacyPolicyController.get);
 

api/src/templates/login/password-reset.html

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta name="theme-color" content="#323232">
+    <title>{{ branding.name }}</title>
+    <link href="/login/style.css" media="all" rel="stylesheet">
+    <link rel="shortcut icon" href="/favicon.ico">
+</head>
+<body>
+<div class="center">
+    <h1>Password Reset</h1>
+    <p>You need to reset your password before continuing.</p>
+</div>
+</body>
+</html>

config/default/app_settings.json

@@ -283,6 +283,7 @@
     "can_view_old_navigation": [],
     "can_default_facility_filter": [],
     "can_have_multiple_places": [],
+    "can_change_password_first_login": [],
     "can_export_devices_details": [
       "national_admin"
     ]