feat: officer password edit route

Dwigoric · Nov 22, 2023 · 33f1146 · 33f1146
1 parent d81eb48
commit 33f1146
Showing 1 changed file with 34 additions and 9 deletions.
diff --git a/src/routes/officers.js b/src/routes/officers.js
@@ -1,6 +1,7 @@
 // Import packages
 import express from 'express'
 import passport from 'passport'
+import argon2 from 'argon2'
 
 // Import models
 import LoanOfficer from '../models/loan_officer.js'
@@ -20,15 +21,9 @@ router.get('/', async (req, res, next) => {
         if (!manager) return res.status(401).json(info)
 
         try {
-            const officers = await LoanOfficer.find().lean()
-
-            // Remove sensitive data
-            officers.forEach((officer) => {
-                delete officer.password_hash
-                delete officer._id
-                delete officer.__v
-                delete officer.name._id
-            })
+            const officers = await LoanOfficer.find()
+                .select('-password_hash -_id -__v -name._id')
+                .lean()
 
             res.status(200).json({ officers })
         } catch (err) {
@@ -67,6 +62,36 @@ router.get('/:id', async (req, res, next) => {
     })(req, res, next)
 })
 
+/**
+ * PATCH /:id
+ *
+ * Update officer's password by UUID. This route is only accessible to the admin and loan officers.
+ */
+router.patch('/:id/password', async (req, res, next) => {
+    passport.authenticate('admin', { session: false }, async (err, admin, info) => {
+        if (err) return next(err)
+        if (!admin) return res.status(401).json(info)
+
+        const officer = await LoanOfficer.findOne({ id: req.params.id }).lean()
+        if (!officer) return res.status(404).json({ message: 'Loan officer not found' })
+
+        // Validate password
+        const { password } = req.body
+        if (!password || password.length < 8) {
+            return res.status(400).json({ message: 'Password must be at least 8 characters' })
+        }
+
+        const password_hash = await argon2.hash(password)
+
+        try {
+            await LoanOfficer.updateOne({ id: req.params.id }, { password_hash })
+            res.status(200).json({ message: 'Loan officer password updated' })
+        } catch (err) {
+            res.status(500).send({ message: err.message })
+        }
+    })(req, res, next)
+})
+
 /**
  * DELETE /:id
  *