enhance forgot password flow with hCaptcha validation

flopez7 · flopez7 · commit 24b9880a4354 · 2025-07-10T18:40:23.000+02:00
diff --git a/packages/apps/job-launcher/client/src/components/Auth/ForgotPasswordForm.jsx b/packages/apps/job-launcher/client/src/components/Auth/ForgotPasswordForm.jsx
@@ -26,7 +26,11 @@ export const ForgotPasswordForm = () => {
   const handleForgotPassword = async ({ email }) => {
     setIsLoading(true);
     try {
-      await authService.forgotPassword(email);
+      const hCaptchaToken = await captchaRef.current.getResponse();
+      await authService.forgotPassword({
+        email,
+        hCaptchaToken,
+      });
       setIsSuccess(true);
     } catch (err) {
       showError(err);
diff --git a/packages/apps/job-launcher/client/src/services/auth.ts b/packages/apps/job-launcher/client/src/services/auth.ts
@@ -1,4 +1,5 @@
 import {
+  ForgotPasswordRequest,
   ResetPasswordRequest,
   SignInRequest,
   SignUpRequest,
@@ -24,8 +25,8 @@ export const signOut = async (refreshToken: string) => {
   return data;
 };
 
-export const forgotPassword = async (email: string) => {
-  await api.post('/auth/forgot-password', { email });
+export const forgotPassword = async (body: ForgotPasswordRequest) => {
+  await api.post('/auth/forgot-password', body);
 };
 
 export const resetPassword = async (body: ResetPasswordRequest) => {
diff --git a/packages/apps/job-launcher/client/src/types/index.ts b/packages/apps/job-launcher/client/src/types/index.ts
@@ -17,6 +17,11 @@ export type SignUpResponse = {
   refreshToken: string;
 };
 
+export type ForgotPasswordRequest = {
+  email: string;
+  hCaptchaToken: string;
+};
+
 export type ResetPasswordRequest = {
   password: string;
   token: string;
diff --git a/packages/apps/job-launcher/server/src/modules/auth/auth.controller.ts b/packages/apps/job-launcher/server/src/modules/auth/auth.controller.ts
@@ -166,8 +166,7 @@ export class AuthJwtController {
     @Body() data: ForgotPasswordDto,
     @Ip() ip: string,
   ): Promise<void> {
-    console.log('IP:', ip);
-    await this.authService.forgotPassword(data);
+    await this.authService.forgotPassword(data, ip);
   }
 
   @Public()
diff --git a/packages/apps/job-launcher/server/src/modules/auth/auth.dto.ts b/packages/apps/job-launcher/server/src/modules/auth/auth.dto.ts
@@ -13,6 +13,10 @@ export class ForgotPasswordDto {
   @IsEmail()
   @Transform(({ value }: { value: string }) => value.toLowerCase())
   public email: string;
+
+  @ApiProperty({ name: 'h_captcha_token' })
+  @IsString()
+  public hCaptchaToken: string;
 }
 
 export class SignInDto {
diff --git a/packages/apps/job-launcher/server/src/modules/auth/auth.service.spec.ts b/packages/apps/job-launcher/server/src/modules/auth/auth.service.spec.ts
@@ -330,21 +330,30 @@ describe('AuthService', () => {
     it('should throw NotFoundError if user is not found', () => {
       findByEmailMock.mockResolvedValue(null);
       expect(
-        authService.forgotPassword({ email: 'user@example.com' }),
+        authService.forgotPassword({
+          email: 'user@example.com',
+          hCaptchaToken: 'token',
+        }),
       ).rejects.toThrow(new NotFoundError(ErrorUser.NotFound));
     });
 
     it('should throw ForbiddenError if user is not active', () => {
       userEntity.status = UserStatus.INACTIVE;
       findByEmailMock.mockResolvedValue(userEntity);
       expect(
-        authService.forgotPassword({ email: 'user@example.com' }),
+        authService.forgotPassword({
+          email: 'user@example.com',
+          hCaptchaToken: 'token',
+        }),
       ).rejects.toThrow(new ForbiddenError(ErrorUser.UserNotActive));
     });
 
     it('should remove existing token if it exists', async () => {
       findTokenMock.mockResolvedValue(tokenEntity);
-      await authService.forgotPassword({ email: 'user@example.com' });
+      await authService.forgotPassword({
+        email: 'user@example.com',
+        hCaptchaToken: 'token',
+      });
 
       expect(tokenRepository.deleteOne).toHaveBeenCalled();
     });
@@ -353,7 +362,7 @@ describe('AuthService', () => {
       sendGridService.sendEmail = jest.fn();
       const email = 'user@example.com';
 
-      await authService.forgotPassword({ email });
+      await authService.forgotPassword({ email, hCaptchaToken: 'token' });
 
       expect(sendGridService.sendEmail).toHaveBeenCalledWith(
         expect.objectContaining({
diff --git a/packages/apps/job-launcher/server/src/modules/auth/auth.service.ts b/packages/apps/job-launcher/server/src/modules/auth/auth.service.ts
@@ -181,7 +181,23 @@ export class AuthService {
     return { accessToken, refreshToken: newRefreshTokenEntity.uuid };
   }
 
-  public async forgotPassword(data: ForgotPasswordDto): Promise<void> {
+  public async forgotPassword(
+    data: ForgotPasswordDto,
+    ip?: string,
+  ): Promise<void> {
+    if (
+      !(
+        await verifyToken(
+          this.authConfigService.hcaptchaProtectionUrl,
+          this.authConfigService.hCaptchaSiteKey,
+          this.authConfigService.hCaptchaSecret,
+          data.hCaptchaToken,
+          ip,
+        )
+      ).success
+    ) {
+      throw new ForbiddenError(ErrorAuth.InvalidCaptchaToken);
+    }
     const userEntity = await this.userRepository.findByEmail(data.email);
 
     if (!userEntity) {

Original file line number	Diff line number	Diff line change
`@@ -166,8 +166,7 @@ export class AuthJwtController {`
`166`	`166`	`@Body() data: ForgotPasswordDto,`
`167`	`167`	`@Ip() ip: string,`
`168`	`168`	`): Promise<void> {`
`169`		`- console.log('IP:', ip);`
`170`		`- await this.authService.forgotPassword(data);`
	`169`	`+ await this.authService.forgotPassword(data, ip);`
`171`	`170`	`}`
`172`	`171`
`173`	`172`	`@Public()`