From db2dc58338783931f58d6fa29aa5b3f92bf8ca20 Mon Sep 17 00:00:00 2001
From: Jason <jason.foster@cascade-care.com>
Date: Wed, 13 Jul 2022 18:45:11 +0100
Subject: [PATCH 1/4] Fix endpoint api/users/reset-password to set tenant ID
 via param.

---
 src/Core/Application/Identity/Users/IUserService.cs | 2 +-
 src/Host/Controllers/Identity/UsersController.cs    | 4 ++--
 src/Infrastructure/Identity/UserService.Password.cs | 6 ++++--
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/Core/Application/Identity/Users/IUserService.cs b/src/Core/Application/Identity/Users/IUserService.cs
index 1fc688d91..d01be94a1 100644
--- a/src/Core/Application/Identity/Users/IUserService.cs
+++ b/src/Core/Application/Identity/Users/IUserService.cs
@@ -34,6 +34,6 @@ public interface IUserService : ITransientService
     Task<string> ConfirmPhoneNumberAsync(string userId, string code);
 
     Task<string> ForgotPasswordAsync(ForgotPasswordRequest request, string origin);
-    Task<string> ResetPasswordAsync(ResetPasswordRequest request);
+    Task<string> ResetPasswordAsync(ResetPasswordRequest request, string tenant);
     Task ChangePasswordAsync(ChangePasswordRequest request, string userId);
 }
\ No newline at end of file
diff --git a/src/Host/Controllers/Identity/UsersController.cs b/src/Host/Controllers/Identity/UsersController.cs
index fd8a594bf..9d8ae4e9f 100644
--- a/src/Host/Controllers/Identity/UsersController.cs
+++ b/src/Host/Controllers/Identity/UsersController.cs
@@ -112,9 +112,9 @@ public Task<string> ForgotPasswordAsync(ForgotPasswordRequest request)
     [HttpPost("reset-password")]
     [OpenApiOperation("Reset a user's password.", "")]
     [ApiConventionMethod(typeof(FSHApiConventions), nameof(FSHApiConventions.Register))]
-    public Task<string> ResetPasswordAsync(ResetPasswordRequest request)
+    public Task<string> ResetPasswordAsync(ResetPasswordRequest request, [FromQuery] string tenant)
     {
-        return _userService.ResetPasswordAsync(request);
+        return _userService.ResetPasswordAsync(request, tenant);
     }
 
     private string GetOriginFromRequest() => $"{Request.Scheme}://{Request.Host.Value}{Request.PathBase.Value}";
diff --git a/src/Infrastructure/Identity/UserService.Password.cs b/src/Infrastructure/Identity/UserService.Password.cs
index 20d3a7dc5..95d9db8c0 100644
--- a/src/Infrastructure/Identity/UserService.Password.cs
+++ b/src/Infrastructure/Identity/UserService.Password.cs
@@ -21,7 +21,7 @@ public async Task<string> ForgotPasswordAsync(ForgotPasswordRequest request, str
         // For more information on how to enable account confirmation and password reset please
         // visit https://go.microsoft.com/fwlink/?LinkID=532713
         string code = await _userManager.GeneratePasswordResetTokenAsync(user);
-        const string route = "account/reset-password";
+        string route = $"account/reset-password?token={code}";
         var endpointUri = new Uri(string.Concat($"{origin}/", route));
         string passwordResetUrl = QueryHelpers.AddQueryString(endpointUri.ToString(), "Token", code);
         var mailRequest = new MailRequest(
@@ -33,8 +33,10 @@ public async Task<string> ForgotPasswordAsync(ForgotPasswordRequest request, str
         return _t["Password Reset Mail has been sent to your authorized Email."];
     }
 
-    public async Task<string> ResetPasswordAsync(ResetPasswordRequest request)
+    public async Task<string> ResetPasswordAsync(ResetPasswordRequest request, string tenant)
     {
+        EnsureValidTenant();
+
         var user = await _userManager.FindByEmailAsync(request.Email?.Normalize());
 
         // Don't reveal that the user does not exist

From 8c9e93cc05b0bc6df7d70a00e34df1f1017936ce Mon Sep 17 00:00:00 2001
From: Jason <jason.foster@cascade-care.com>
Date: Wed, 13 Jul 2022 19:16:29 +0100
Subject: [PATCH 2/4] Add allow anonymous attribute.

---
 src/Host/Controllers/Identity/UsersController.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Host/Controllers/Identity/UsersController.cs b/src/Host/Controllers/Identity/UsersController.cs
index 9d8ae4e9f..342fb82cd 100644
--- a/src/Host/Controllers/Identity/UsersController.cs
+++ b/src/Host/Controllers/Identity/UsersController.cs
@@ -110,6 +110,7 @@ public Task<string> ForgotPasswordAsync(ForgotPasswordRequest request)
     }
 
     [HttpPost("reset-password")]
+    [AllowAnonymous]
     [OpenApiOperation("Reset a user's password.", "")]
     [ApiConventionMethod(typeof(FSHApiConventions), nameof(FSHApiConventions.Register))]
     public Task<string> ResetPasswordAsync(ResetPasswordRequest request, [FromQuery] string tenant)

From 2d7d608fe2f56f96bfb8eb080b34e6c9263ae0a3 Mon Sep 17 00:00:00 2001
From: Jason <jason.foster@cascade-care.com>
Date: Thu, 14 Jul 2022 11:11:02 +0100
Subject: [PATCH 3/4] Remove tenant param from ResetPasswordAsync interface;
 Add TennantIdHeader to ResetPasswordAsync method; Update message in
 ForgotPasswordAsync;

---
 src/Core/Application/Identity/Users/IUserService.cs | 2 +-
 src/Host/Controllers/Identity/UsersController.cs    | 5 +++--
 src/Infrastructure/Identity/UserService.Password.cs | 4 ++--
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/Core/Application/Identity/Users/IUserService.cs b/src/Core/Application/Identity/Users/IUserService.cs
index d01be94a1..1fc688d91 100644
--- a/src/Core/Application/Identity/Users/IUserService.cs
+++ b/src/Core/Application/Identity/Users/IUserService.cs
@@ -34,6 +34,6 @@ public interface IUserService : ITransientService
     Task<string> ConfirmPhoneNumberAsync(string userId, string code);
 
     Task<string> ForgotPasswordAsync(ForgotPasswordRequest request, string origin);
-    Task<string> ResetPasswordAsync(ResetPasswordRequest request, string tenant);
+    Task<string> ResetPasswordAsync(ResetPasswordRequest request);
     Task ChangePasswordAsync(ChangePasswordRequest request, string userId);
 }
\ No newline at end of file
diff --git a/src/Host/Controllers/Identity/UsersController.cs b/src/Host/Controllers/Identity/UsersController.cs
index 342fb82cd..2ca9e92db 100644
--- a/src/Host/Controllers/Identity/UsersController.cs
+++ b/src/Host/Controllers/Identity/UsersController.cs
@@ -111,11 +111,12 @@ public Task<string> ForgotPasswordAsync(ForgotPasswordRequest request)
 
     [HttpPost("reset-password")]
     [AllowAnonymous]
+    [TenantIdHeader]
     [OpenApiOperation("Reset a user's password.", "")]
     [ApiConventionMethod(typeof(FSHApiConventions), nameof(FSHApiConventions.Register))]
-    public Task<string> ResetPasswordAsync(ResetPasswordRequest request, [FromQuery] string tenant)
+    public Task<string> ResetPasswordAsync(ResetPasswordRequest request)
     {
-        return _userService.ResetPasswordAsync(request, tenant);
+        return _userService.ResetPasswordAsync(request);
     }
 
     private string GetOriginFromRequest() => $"{Request.Scheme}://{Request.Host.Value}{Request.PathBase.Value}";
diff --git a/src/Infrastructure/Identity/UserService.Password.cs b/src/Infrastructure/Identity/UserService.Password.cs
index 95d9db8c0..911bd611f 100644
--- a/src/Infrastructure/Identity/UserService.Password.cs
+++ b/src/Infrastructure/Identity/UserService.Password.cs
@@ -21,7 +21,7 @@ public async Task<string> ForgotPasswordAsync(ForgotPasswordRequest request, str
         // For more information on how to enable account confirmation and password reset please
         // visit https://go.microsoft.com/fwlink/?LinkID=532713
         string code = await _userManager.GeneratePasswordResetTokenAsync(user);
-        string route = $"account/reset-password?token={code}";
+        const string route = $"account/reset-password";
         var endpointUri = new Uri(string.Concat($"{origin}/", route));
         string passwordResetUrl = QueryHelpers.AddQueryString(endpointUri.ToString(), "Token", code);
         var mailRequest = new MailRequest(
@@ -33,7 +33,7 @@ public async Task<string> ForgotPasswordAsync(ForgotPasswordRequest request, str
         return _t["Password Reset Mail has been sent to your authorized Email."];
     }
 
-    public async Task<string> ResetPasswordAsync(ResetPasswordRequest request, string tenant)
+    public async Task<string> ResetPasswordAsync(ResetPasswordRequest request)
     {
         EnsureValidTenant();
 

From c6464ce64d61ff10b529986a3618d5b6432a96cd Mon Sep 17 00:00:00 2001
From: Jason <jason.foster@cascade-care.com>
Date: Thu, 14 Jul 2022 11:23:35 +0100
Subject: [PATCH 4/4] The email message now contains the API endpoint for
 password reset;

---
 src/Infrastructure/Identity/UserService.Password.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Infrastructure/Identity/UserService.Password.cs b/src/Infrastructure/Identity/UserService.Password.cs
index 911bd611f..b30a2eb1b 100644
--- a/src/Infrastructure/Identity/UserService.Password.cs
+++ b/src/Infrastructure/Identity/UserService.Password.cs
@@ -21,7 +21,7 @@ public async Task<string> ForgotPasswordAsync(ForgotPasswordRequest request, str
         // For more information on how to enable account confirmation and password reset please
         // visit https://go.microsoft.com/fwlink/?LinkID=532713
         string code = await _userManager.GeneratePasswordResetTokenAsync(user);
-        const string route = $"account/reset-password";
+        const string route = $"api/users/reset-password";
         var endpointUri = new Uri(string.Concat($"{origin}/", route));
         string passwordResetUrl = QueryHelpers.AddQueryString(endpointUri.ToString(), "Token", code);
         var mailRequest = new MailRequest(