feat: add reset password

2026-05-19 15:23:22 +03:00
parent bd1faffbb0
commit 9c2190737a
13 changed files with 430 additions and 6 deletions
--- a/src/application/commands/forgot_password_complete.py
+++ b/src/application/commands/forgot_password_complete.py
@@ -0,0 +1,83 @@
+from src.application.abstractions import IUnitOfWork
+from src.application.contracts import IHashService, ILogger, ICache
+from src.application.domain.exceptions import ApplicationException
+from src.infrastructure.database.decorators import transactional
+
+
+class ForgotPasswordCompleteCommand:
+    def __init__(
+        self,
+        unit_of_work: IUnitOfWork,
+        hash_service: IHashService,
+        cache: ICache,
+        logger: ILogger,
+    ):
+        self._unit_of_work = unit_of_work
+        self._hash_service = hash_service
+        self._cache = cache
+        self._logger = logger
+
+    @staticmethod
+    def _normalize_email(email: str) -> str:
+        return email.strip().lower()
+
+    @transactional
+    async def __call__(
+        self,
+        *,
+        email: str,
+        code: str,
+        new_password: str,
+        confirm_password: str,
+    ) -> bool:
+        code = (code or '').strip()
+        normalized = self._normalize_email(email)
+
+        EMAIL_PREFIX = 'forgot_password:email:'
+        CODE_PREFIX = 'forgot_password:code:'
+
+        if new_password != confirm_password:
+            self._logger.info('Forgot password failed: passwords do not match')
+            raise ApplicationException(400, 'Passwords do not match')
+
+        code_key = f'{CODE_PREFIX}{code}'
+        cached_email = await self._cache.get(code_key)
+        if not cached_email:
+            self._logger.info('Forgot password failed: code not found')
+            raise ApplicationException(400, 'Invalid or expired code')
+
+        if cached_email != normalized:
+            self._logger.info('Forgot password failed: code-email mismatch')
+            raise ApplicationException(400, 'Invalid or expired code')
+
+        email_key = f'{EMAIL_PREFIX}{normalized}'
+        code_hash = await self._cache.get(email_key)
+        if not code_hash:
+            self._logger.info('Forgot password failed: email key missing')
+            raise ApplicationException(400, 'Invalid or expired code')
+
+        ok = await self._hash_service.verify(hashed_value=code_hash, plain_value=code)
+        if not ok:
+            self._logger.info('Forgot password failed: code hash mismatch')
+            raise ApplicationException(400, 'Invalid or expired code')
+
+        user = await self._unit_of_work.user_repository.get_user_by_email(normalized)
+        if user is None:
+            self._logger.info('Forgot password failed: user not found after valid code')
+            raise ApplicationException(400, 'Invalid or expired code')
+
+        new_password_hash = await self._hash_service.hash(new_password)
+        user = await self._unit_of_work.user_repository.set_password(
+            user_id=user.id,
+            password_hash=new_password_hash,
+        )
+        await self._cache.set_user(user.id, user)
+
+        try:
+            await self._cache.delete(code_key)
+            await self._cache.delete(email_key)
+        except Exception as e:
+            self._logger.warning(f'Forgot password cleanup failed (user_id={user.id}): {e}')
+
+        self._logger.info(f'Password reset via forgot flow for user_id={user.id}')
+        return True