Pow reset password - custom controller questions

Hi, for learning purposes I create API using Elixir/Phoenix. I’ve created whole custom authentication and after that I do the same using POW with custom controllers (just to learn how it works under the hood and have my boilerplates for next projects).

I stopped for a while doing custom controllers for Forgot password and reset password functions.

I read a lot of topics on forum but still i can’t pass through reset and update new password.

My function to forgot_password looks like that:

  @spec forgot_password(Conn.t(), map()) :: Conn.t()
  def forgot_password(conn, %{"user" => user_params}) do
    conn
    |> PowResetPassword.Plug.create_reset_token(user_params)
    |> case do
      {:ok, %{token: token, user: _user}, conn} ->
        #send email
        conn
        |> put_status(200)
        |> json(%{data: %{status: 200, message: "Email has been sent", token: token}})

      {:error, _changeset, conn} ->
        conn
        |> put_status(200)
        |> json(%{data: %{status: 200, message: "Email has been sent"}})
    end
  end

Its pretty straighforward. Always giving status 200 for security purposes, and token for passing it in POSTMAN during resetting password. I know that it should never go to production like that and Pow token is stored in cache. If You have some advices how to use Postman for authorization without passing tokens by hand in body I’d appreciate that (similar I have shown access tokens and renewal for register/login controllers)

For reset_password I wrote that function:

def reset_password(conn, %{"id" => token, "user" => user_params}) do

    with {:ok, conn} <- PowResetPassword.Plug.load_user_by_token(conn, token),
         {:ok, _user, conn}  <- PowResetPassword.Plug.update_user_password(conn, user_params) do
          conn
          |> put_status(:ok)
          |> json(%{status: "Password changed"})
    else
          {:error, changeset} ->
            {:error, changeset, conn}

          _ ->
            conn
            |> json(%{error: %{message: "Expired Token"}})
    end
end

The problem is like I found in docs and while testing, that update_user_password never returns an error when password and confirmation are not equal in this case (but in plug.ex its written that in should return {:error, changeset, conn}.
It returns “Password changed” and “Expired token”. Even if I put different passwords in body. Of course it doesnt change password then but I want to have two different errors if user makes mistake during writing password.

I found also on forum that function

  @spec reset_password(Conn.t(), map()) :: Conn.t()
  def reset_password(conn, %{"id" => token, "user" => user_params}) do
   conn
   |> PowResetPassword.Plug.load_user_by_token(token)
   |> case do
      {:ok, conn} ->
        PowResetPassword.Plug.update_user_password(conn, user_params)

      {:error, conn} ->
        json(conn, %{error: %{message: "Expired Token"}})
    end

  json(conn, %{status: "ok"})
  #end

It returns “ok” even if i put different password in body, but thankfully doesnt change it in DB. Expired token appears when loading user by token fails.

What comes to my mind is to put function for check password inputs if they are equal before updating password but I dont think if it is the best solution. Either nesting case statements looks awful.

Thanks for helping :slight_smile:

I read again docs and refactored a little function. Now it looks awful but works, I need to think prettier solution.

  @spec reset_password(Conn.t(), map()) :: Conn.t()
  def reset_password(conn, %{"id" => token, "user" => user_params}) do

    conn
      |> PowResetPassword.Plug.load_user_by_token(token)
      |> case do
          {:ok, conn} ->
            PowResetPassword.Plug.update_user_password(conn, user_params)
            |> case do
              {:error, _changeset, conn} ->
                json(conn, %{message: "Invalid passwords"})

              {:ok, _user, conn} ->
                json(conn, %{message: "Password changed"})
            end

          {:error, conn} ->
            json(conn, %{error: %{message: "Expired Token"}})
        end        
  end

OR

  @spec reset_password(Conn.t(), map()) :: Conn.t()
  def reset_password(conn, %{"id" => token, "user" => user_params}) do

    with {:ok, conn} <- PowResetPassword.Plug.load_user_by_token(conn, token),
         {:ok, _user, conn}  <- PowResetPassword.Plug.update_user_password(conn, user_params) do
          conn
          |> put_status(:ok)
          |> json(%{status: "Password changed"})
    else
          {:error, _changeset, conn} ->
            json(conn, %{error: %{message: "Passwords are not the same"}})

          _ ->
            json(conn, %{error: %{message: "Expired Token"}})
    end
  end

I mark as solution if it works well while testing but I’m still waiting for some advices about tokens cause I am elixir newbie :slight_smile:

1 Like