feat: Add beforePasswordResetRequest hook (#9906)

src/Routers/UsersRouter.js

@@ -12,6 +12,7 @@ import {
   Types as TriggerTypes,
   getRequestObject,
   resolveError,
+  inflate,
 } from '../triggers';
 import { promiseEnsureIdempotency } from '../middlewares';
 import RestWrite from '../RestWrite';
@@ -444,21 +445,59 @@ export class UsersRouter extends ClassesRouter {
     if (!email && !token) {
       throw new Parse.Error(Parse.Error.EMAIL_MISSING, 'you must provide an email');
     }
+
+    let userResults = null;
+    let userData = null;
+
+    // We can find the user using token
     if (token) {
-      const results = await req.config.database.find('_User', {
+      userResults = await req.config.database.find('_User', {
         _perishable_token: token,
         _perishable_token_expires_at: { $lt: Parse._encode(new Date()) },
       });
-      if (results && results[0] && results[0].email) {
-        email = results[0].email;
+      if (userResults?.length > 0) {
+        userData = userResults[0];
+        if (userData.email) {
+          email = userData.email;
+        }
+      }
+    // Or using email if no token provided
+    } else if (typeof email === 'string') {
+      userResults = await req.config.database.find(
+        '_User',
+        { $or: [{ email }, { username: email, email: { $exists: false } }] },
+        { limit: 1 },
+        Auth.maintenance(req.config)
+      );
+      if (userResults?.length > 0) {
+        userData = userResults[0];
       }
     }
+
     if (typeof email !== 'string') {
       throw new Parse.Error(
         Parse.Error.INVALID_EMAIL_ADDRESS,
         'you must provide a valid email string'
       );
     }
+
+    if (userData) {
+      this._sanitizeAuthData(userData);
+      // Get files attached to user
+      await req.config.filesController.expandFilesInObject(req.config, userData);
+
+      const user = inflate('_User', userData);
+
+      await maybeRunTrigger(
+        TriggerTypes.beforePasswordResetRequest,
+        req.auth,
+        user,
+        null,
+        req.config,
+        req.info.context
+      );
+    }
+
     const userController = req.config.userController;
     try {
       await userController.sendPasswordResetEmail(email);

src/cloud-code/Parse.Cloud.js

@@ -349,6 +349,48 @@ ParseCloud.afterLogout = function (handler) {
   triggers.addTrigger(triggers.Types.afterLogout, className, handler, Parse.applicationId);
 };
 
+/**
+ * Registers the before password reset request function.
+ *
+ * **Available in Cloud Code only.**
+ *
+ * This function provides control in validating a password reset request
+ * before the reset email is sent. It is triggered after the user is found
+ * by email, but before the reset token is generated and the email is sent.
+ *
+ * Code example:
+ *
+ * ```
+ * Parse.Cloud.beforePasswordResetRequest(request => {
+ *   if (request.object.get('banned')) {
+ *     throw new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User is banned.');
+ *   }
+ * });
+ * ```
+ *
+ * @method beforePasswordResetRequest
+ * @name Parse.Cloud.beforePasswordResetRequest
+ * @param {Function} func The function to run before a password reset request. This function can be async and should take one parameter a {@link Parse.Cloud.TriggerRequest};
+ */
+ParseCloud.beforePasswordResetRequest = function (handler, validationHandler) {
+  let className = '_User';
+  if (typeof handler === 'string' || isParseObjectConstructor(handler)) {
+    // validation will occur downstream, this is to maintain internal
+    // code consistency with the other hook types.
+    className = triggers.getClassName(handler);
+    handler = arguments[1];
+    validationHandler = arguments.length >= 2 ? arguments[2] : null;
+  }
+  triggers.addTrigger(triggers.Types.beforePasswordResetRequest, className, handler, Parse.applicationId);
+  if (validationHandler && validationHandler.rateLimit) {
+    addRateLimit(
+      { requestPath: `/requestPasswordReset`, requestMethods: 'POST', ...validationHandler.rateLimit },
+      Parse.applicationId,
+      true
+    );
+  }
+};
+
 /**
  * Registers an after save function.
  *

src/triggers.js

@@ -6,6 +6,7 @@ export const Types = {
   beforeLogin: 'beforeLogin',
   afterLogin: 'afterLogin',
   afterLogout: 'afterLogout',
+  beforePasswordResetRequest: 'beforePasswordResetRequest',
   beforeSave: 'beforeSave',
   afterSave: 'afterSave',
   beforeDelete: 'beforeDelete',
@@ -58,10 +59,10 @@ function validateClassNameForTriggers(className, type) {
     // TODO: Allow proper documented way of using nested increment ops
     throw 'Only afterSave is allowed on _PushStatus';
   }
-  if ((type === Types.beforeLogin || type === Types.afterLogin) && className !== '_User') {
+  if ((type === Types.beforeLogin || type === Types.afterLogin || type === Types.beforePasswordResetRequest) && className !== '_User') {
     // TODO: check if upstream code will handle `Error` instance rather
     // than this anti-pattern of throwing strings
-    throw 'Only the _User class is allowed for the beforeLogin and afterLogin triggers';
+    throw 'Only the _User class is allowed for the beforeLogin, afterLogin, and beforePasswordResetRequest triggers';
   }
   if (type === Types.afterLogout && className !== '_Session') {
     // TODO: check if upstream code will handle `Error` instance rather
@@ -287,6 +288,7 @@ export function getRequestObject(
     triggerType === Types.afterDelete ||
     triggerType === Types.beforeLogin ||
     triggerType === Types.afterLogin ||
+    triggerType === Types.beforePasswordResetRequest ||
     triggerType === Types.afterFind
   ) {
     // Set a copy of the context on the request object.