Medplum

Official

Overview Schema Related Servers Score Discussions

setpassword.ts•2.25 kB

// SPDX-FileCopyrightText: Copyright Orangebot, Inc. and Medplum contributors // SPDX-License-Identifier: Apache-2.0 import { allOk, badRequest } from '@medplum/core'; import type { Reference, User, UserSecurityRequest } from '@medplum/fhirtypes'; import type { Request, Response } from 'express'; import { body } from 'express-validator'; import { pwnedPassword } from 'hibp'; import { sendOutcome } from '../fhir/outcomes'; import { getSystemRepo } from '../fhir/repo'; import { timingSafeEqualStr } from '../oauth/utils'; import { makeValidationMiddleware } from '../util/validator'; import { bcryptHashPassword } from './utils'; export const setPasswordValidator = makeValidationMiddleware([ body('id').isUUID().withMessage('Invalid request ID'), body('secret').notEmpty().withMessage('Missing secret'), body('password').isLength({ min: 8 }).withMessage('Invalid password, must be at least 8 characters'), ]); export async function setPasswordHandler(req: Request, res: Response): Promise<void> { const systemRepo = getSystemRepo(); const securityRequest = await systemRepo.readResource<UserSecurityRequest>('UserSecurityRequest', req.body.id); if (securityRequest.used) { sendOutcome(res, badRequest('Already used')); return; } if (securityRequest.type === 'verify-email') { sendOutcome(res, badRequest('Invalid request type')); return; } if (!timingSafeEqualStr(securityRequest.secret as string, req.body.secret)) { sendOutcome(res, badRequest('Incorrect secret')); return; } const user = await systemRepo.readReference(securityRequest.user as Reference<User>); const numPwns = await pwnedPassword(req.body.password); if (numPwns > 0) { sendOutcome(res, badRequest('Password found in breach database', 'password')); return; } await setPassword({ ...user, emailVerified: true }, req.body.password); await systemRepo.updateResource<typeof securityRequest>({ ...securityRequest, used: true }); sendOutcome(res, allOk); } export async function setPassword(user: User, password: string): Promise<void> { const passwordHash = await bcryptHashPassword(password); const systemRepo = getSystemRepo(); await systemRepo.updateResource<User>({ ...user, passwordHash }); }

Latest Blog Posts

What Is Context Bloat in MCP?
By Om-Shree-0709 on December 16, 2025.
mcp
Context Bloat
MCP Moves to the Linux Foundation: Neutral Stewardship for Agentic Infrastructure
By Om-Shree-0709 on December 15, 2025.
mcp
anthropic
Linux Foundation
Code Execution with MCP: Architecting Agentic Efficiency
By Om-Shree-0709 on December 14, 2025.
mcp
Token bloat

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/medplum/medplum'

If you have feedback or need assistance with the MCP directory API, please join our Discord server