Reset password

Author: fetchfern

apps/labrinth/migrations/20250902133943_notification-extension.sql

@@ -55,11 +55,54 @@ CREATE TABLE notifications_templates (
 );
 
 -- Add existing notification types
+INSERT INTO notifications_types (name, delivery_priority, expose_in_user_preferences, expose_in_site_notifications) VALUES ('reset_password', 3, FALSE, FALSE);
 INSERT INTO notifications_types (name, delivery_priority, expose_in_user_preferences, expose_in_site_notifications) VALUES ('project_update', 1, TRUE, TRUE);
 INSERT INTO notifications_types (name, delivery_priority, expose_in_user_preferences, expose_in_site_notifications) VALUES ('team_invite', 1, TRUE, TRUE);
 INSERT INTO notifications_types (name, delivery_priority, expose_in_user_preferences, expose_in_site_notifications) VALUES ('organization_invite', 1, TRUE, TRUE);
 INSERT INTO notifications_types (name, delivery_priority, expose_in_user_preferences, expose_in_site_notifications) VALUES ('status_change', 1, TRUE, TRUE);
 INSERT INTO notifications_types (name, delivery_priority, expose_in_user_preferences, expose_in_site_notifications) VALUES ('moderator_message', 1, TRUE, TRUE);
 INSERT INTO notifications_types (name, delivery_priority, expose_in_user_preferences, expose_in_site_notifications) VALUES ('legacy_markdown', 1, TRUE, TRUE);
 INSERT INTO notifications_types (name, delivery_priority, expose_in_user_preferences, expose_in_site_notifications) VALUES ('unknown', 1, TRUE, TRUE);
-INSERT INTO notifications_types (name, delivery_priority, expose_in_user_preferences, expose_in_site_notifications) VALUES ('reset_password', 3, FALSE, FALSE);
+
+INSERT INTO users_notifications_preferences (user_id, channel, notification_type, enabled)
+VALUES (NULL, 'email', 'reset_password', TRUE);
+
+INSERT INTO users_notifications_preferences (user_id, channel, notification_type, enabled)
+VALUES (NULL, 'email', 'project_update', FALSE);
+
+INSERT INTO users_notifications_preferences (user_id, channel, notification_type, enabled)
+VALUES (NULL, 'email', 'team_invite', FALSE);
+
+INSERT INTO users_notifications_preferences (user_id, channel, notification_type, enabled)
+VALUES (NULL, 'email', 'organization_invite', FALSE);
+
+INSERT INTO users_notifications_preferences (user_id, channel, notification_type, enabled)
+VALUES (NULL, 'email', 'status_change', FALSE);
+
+INSERT INTO users_notifications_preferences (user_id, channel, notification_type, enabled)
+VALUES (NULL, 'email', 'moderator_message', FALSE);
+
+INSERT INTO users_notifications_preferences (user_id, channel, notification_type, enabled)
+VALUES (NULL, 'email', 'legacy_markdown', FALSE);
+
+INSERT INTO users_notifications_preferences (user_id, channel, notification_type, enabled)
+VALUES (NULL, 'email', 'unknown', FALSE);
+
+-- Pre-insert any templates
+INSERT INTO notifications_templates (channel, notification_type, subject_line, body_fetch_url, plaintext_fallback)
+VALUES (
+    'email', 'reset_password', 'Reset your Modrinth password', 'https://modrinth.com/mail/resetpassword.html',
+    CONCAT(
+        'Hi {user.name},',
+        CHR(10),
+        CHR(10),
+        'Please visit the below link below to reset your password. If you did not request for your password to be reset, you can safely ignore this email.',
+        CHR(10),
+        'Reset your password: {resetpassword.url}',
+        CHR(10),
+        CHR(10),
+        '- The Modrinth Team',
+        CHR(10),
+        'modrinth.com'
+    )
+);

apps/labrinth/src/database/models/user_item.rs

@@ -233,7 +233,7 @@ impl DBUser {
         exec: E,
     ) -> Result<Option<DBUserId>, sqlx::Error>
     where
-        E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy,
+        E: sqlx::Executor<'a, Database = sqlx::Postgres>,
     {
         let user = sqlx::query!(
             "
@@ -254,7 +254,7 @@ impl DBUser {
         exec: E,
     ) -> Result<Vec<DBUserId>, sqlx::Error>
     where
-        E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy,
+        E: sqlx::Executor<'a, Database = sqlx::Postgres>,
     {
         let users = sqlx::query!(
             "
@@ -276,7 +276,7 @@ impl DBUser {
         redis: &RedisPool,
     ) -> Result<Vec<DBProjectId>, DatabaseError>
     where
-        E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy,
+        E: sqlx::Executor<'a, Database = sqlx::Postgres>,
     {
         use futures::stream::TryStreamExt;
 
@@ -324,7 +324,7 @@ impl DBUser {
         exec: E,
     ) -> Result<Vec<DBOrganizationId>, sqlx::Error>
     where
-        E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy,
+        E: sqlx::Executor<'a, Database = sqlx::Postgres>,
     {
         use futures::stream::TryStreamExt;
 
@@ -349,7 +349,7 @@ impl DBUser {
         exec: E,
     ) -> Result<Vec<DBCollectionId>, sqlx::Error>
     where
-        E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy,
+        E: sqlx::Executor<'a, Database = sqlx::Postgres>,
     {
         use futures::stream::TryStreamExt;
 
@@ -373,7 +373,7 @@ impl DBUser {
         exec: E,
     ) -> Result<Vec<DBProjectId>, sqlx::Error>
     where
-        E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy,
+        E: sqlx::Executor<'a, Database = sqlx::Postgres>,
     {
         use futures::stream::TryStreamExt;
 
@@ -397,7 +397,7 @@ impl DBUser {
         exec: E,
     ) -> Result<Vec<DBReportId>, sqlx::Error>
     where
-        E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy,
+        E: sqlx::Executor<'a, Database = sqlx::Postgres>,
     {
         use futures::stream::TryStreamExt;
 
@@ -421,7 +421,7 @@ impl DBUser {
         exec: E,
     ) -> Result<Vec<String>, sqlx::Error>
     where
-        E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy,
+        E: sqlx::Executor<'a, Database = sqlx::Postgres>,
     {
         use futures::stream::TryStreamExt;
 

apps/labrinth/src/models/v3/notifications.rs

@@ -247,6 +247,7 @@ impl From<DBNotification> for Notification {
                     },
                     vec![],
                 ),
+                // Don't expose the `flow` field
                 NotificationBody::ResetPassword { .. } => (
                     "Password reset requested".to_string(),
                     "You've requested to reset your password. Please check your email for a reset link.".to_string(),

apps/labrinth/src/queue/email/templates.rs

@@ -18,6 +18,8 @@ use tracing::{error, warn};
 const USER_NAME: &str = "user.name";
 const USER_EMAIL: &str = "user.email";
 
+const RESETPASSWORD_URL: &str = "resetpassword.url";
+
 const TEAMINVITE_INVITER_NAME: &str = "teaminvite.inviter.name";
 const TEAMINVITE_PROJECT_NAME: &str = "teaminvite.project.name";
 const TEAMINVITE_ROLE_NAME: &str = "teaminvite.role.name";
@@ -170,12 +172,12 @@ async fn collect_template_variables(
     exec: impl sqlx::PgExecutor<'_>,
     redis: &RedisPool,
     n: &DBNotification,
-) -> Result<TemplateVariables, DatabaseError> {
+) -> Result<TemplateVariables, ApiError> {
     async fn only_select_default_variables(
         exec: impl sqlx::PgExecutor<'_>,
         redis: &RedisPool,
         user_id: DBUserId,
-    ) -> Result<TemplateVariables, DatabaseError> {
+    ) -> Result<TemplateVariables, ApiError> {
         let mut map = HashMap::new();
 
         let user = DBUser::get_id(user_id, exec, redis)
@@ -187,10 +189,6 @@ async fn collect_template_variables(
     }
 
     match &n.body {
-        NotificationBody::ProjectUpdate { .. } => {
-            only_select_default_variables(exec, redis, n.user_id).await
-        }
-
         NotificationBody::TeamInvite {
             team_id: _,
             project_id,
@@ -289,6 +287,25 @@ async fn collect_template_variables(
             Ok(TemplateVariables::with_email(map, result.user_email))
         }
 
-        _ => only_select_default_variables(exec, redis, n.user_id).await,
+        NotificationBody::ResetPassword { flow } => {
+            let url = format!(
+                "{}/{}?flow={}",
+                dotenvy::var("SITE_URL")?,
+                dotenvy::var("SITE_RESET_PASSWORD_PATH")?,
+                flow
+            );
+
+            let mut map = HashMap::new();
+            map.insert(RESETPASSWORD_URL, url);
+
+            Ok(TemplateVariables::with_email(map, None))
+        }
+
+        NotificationBody::ProjectUpdate { .. }
+        | NotificationBody::LegacyMarkdown { .. }
+        | NotificationBody::ModeratorMessage { .. }
+        | NotificationBody::Unknown => {
+            only_select_default_variables(exec, redis, n.user_id).await
+        }
     }
 }

apps/labrinth/src/routes/internal/flows.rs

@@ -5,8 +5,10 @@ use crate::auth::validate::{
 use crate::auth::{AuthProvider, AuthenticationError, get_user_from_headers};
 use crate::database::models::DBUser;
 use crate::database::models::flow_item::DBFlow;
+use crate::database::models::notification_item::NotificationBuilder;
 use crate::database::redis::RedisPool;
 use crate::file_hosting::{FileHost, FileHostPublicity};
+use crate::models::notifications::NotificationBody;
 use crate::models::pats::Scopes;
 use crate::models::users::{Badges, Role};
 use crate::queue::session::AuthQueue;
@@ -1930,18 +1932,20 @@ pub async fn reset_password_begin(
         return Err(ApiError::Turnstile);
     }
 
+    let mut txn = pool.begin().await?;
+
     let user =
         match crate::database::models::DBUser::get_by_case_insensitive_email(
             &reset_password.username_or_email,
-            &**pool,
+            &mut *txn,
         )
         .await?[..]
         {
             [] => {
                 // Try finding by username or ID
                 crate::database::models::DBUser::get(
                     &reset_password.username_or_email,
-                    &**pool,
+                    &mut *txn,
                     &redis,
                 )
                 .await?
@@ -1950,7 +1954,7 @@ pub async fn reset_password_begin(
                 // If there is only one user with the given email, ignoring case,
                 // we can assume it's the user we want to reset the password for
                 crate::database::models::DBUser::get_id(
-                    user_id, &**pool, &redis,
+                    user_id, &mut *txn, &redis,
                 )
                 .await?
             }
@@ -1962,12 +1966,12 @@ pub async fn reset_password_begin(
                 if let Some(user_id) =
                     crate::database::models::DBUser::get_by_email(
                         &reset_password.username_or_email,
-                        &**pool,
+                        &mut *txn,
                     )
                     .await?
                 {
                     crate::database::models::DBUser::get_id(
-                        user_id, &**pool, &redis,
+                        user_id, &mut *txn, &redis,
                     )
                     .await?
                 } else {
@@ -1976,33 +1980,20 @@ pub async fn reset_password_begin(
             }
         };
 
-    if let Some(DBUser {
-        id: user_id,
-        email: Some(email),
-        ..
-    }) = user
-    {
+    if let Some(DBUser { id: user_id, .. }) = user {
         let flow = DBFlow::ForgotPassword { user_id }
             .insert(Duration::hours(24), &redis)
             .await?;
 
-        send_email(
-            email,
-            "Reset your password",
-            "Please visit the following link below to reset your password. If the button does not work, you can copy the link and paste it into your browser.",
-            "If you did not request for your password to be reset, you can safely ignore this email.",
-            Some((
-                "Reset password",
-                &format!(
-                    "{}/{}?flow={}",
-                    dotenvy::var("SITE_URL")?,
-                    dotenvy::var("SITE_RESET_PASSWORD_PATH")?,
-                    flow
-                ),
-            )),
-        )?;
+        NotificationBuilder {
+            body: NotificationBody::ResetPassword { flow },
+        }
+        .insert(user_id, &mut txn, &redis)
+        .await?;
     }
 
+    txn.commit().await?;
+
     Ok(HttpResponse::Ok().finish())
 }