startPasswordReset static method

Future<PasswordResetResult> startPasswordReset(
  1. Session session, {
  2. required String email,
  3. Transaction? transaction,
})

Sends out a password reset email for the given account, if it exists.

The caller may check the returned PasswordResetResult, but this should not be exposed to the client, so that this method can not be misused to check which emails are registered.

Each reset request will be logged to the database outside of the transaction and can not be rolled back, so the throttling will always be enforced.

Throws an EmailAccountPasswordResetRequestTooManyAttemptsException in case the client or account has been involved in too many reset attempts.

Implementation

static Future<PasswordResetResult> startPasswordReset(
  final Session session, {
  required String email,
  final Transaction? transaction,
}) async {
  return DatabaseUtil.runInTransactionOrSavepoint(
    session.db,
    transaction,
    (final transaction) async {
      email = email.trim().toLowerCase();

      if (await _hasTooManyPasswordResetRequestAttempts(
        session,
        email: email,
      )) {
        throw EmailAccountPasswordResetRequestTooManyAttemptsException();
      }

      final account = await EmailAccount.db.findFirstRow(
        session,
        where: (final t) => t.email.equals(email),
        transaction: transaction,
      );

      if (account == null) {
        return PasswordResetResult.emailDoesNotExist;
      }

      final verificationCode =
          EmailAccounts.config.passwordResetVerificationCodeGenerator();

      final verificationCodeHash = await EmailAccountSecretHash.createHash(
        value: verificationCode,
      );

      final resetRequest =
          await EmailAccountPasswordResetRequest.db.insertRow(
        session,
        EmailAccountPasswordResetRequest(
          emailAccountId: account.id!,
          verificationCodeHash: verificationCodeHash.hash.asByteData,
          verificationCodeSalt: verificationCodeHash.salt.asByteData,
        ),
        transaction: transaction,
      );

      EmailAccounts.config.sendPasswordResetVerificationCode?.call(
        session,
        email: email,
        passwordResetRequestId: resetRequest.id!,
        verificationCode: verificationCode,
        transaction: transaction,
      );

      return PasswordResetResult.passwordResetSent;
    },
  );
}