From 76a390d03ed854acf99fb20878069caa615a23f4 Mon Sep 17 00:00:00 2001 From: Loay Date: Tue, 26 Jul 2016 13:19:41 -0400 Subject: [PATCH 1/3] Tighten password reset --- test/user.test.js | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/test/user.test.js b/test/user.test.js index e6d85d07..9b6873bb 100644 --- a/test/user.test.js +++ b/test/user.test.js @@ -1644,7 +1644,6 @@ describe('User', function() { if (err) return done(err); assert.equal(user.email, email); - done(); }); }); @@ -1684,6 +1683,35 @@ describe('User', function() { }); }); + describe('password reset without requiring email verification', function() { + var email = 'foo1@bar.com'; + it('disallows temp accessToken creation if email verification is required and done', function(done) { + var calledBack = false; + + User.resetPassword({ + email: 'foo1@bar.com', + }, function() { + calledBack = true; + }); + + User.once('resetPasswordRequest', function(info) { + assert(info.email); + assert(!info.accessToken); + assert(!info.accessToken.id); + assert.equal(info.accessToken.ttl / 60, 15); + assert(calledBack); + console.log(info); + info.accessToken.user(function(err, user) { + if (err) return done(err); + + assert.equal(user.email, email); + console.log(user.emailVerified); + done(); + }); + }); + }); + }); + describe('ctor', function() { it('exports default Email model', function() { expect(User.email, 'User.email').to.be.a('function'); From 0f3522e28d2655d2ac8a227275d2da917c713124 Mon Sep 17 00:00:00 2001 From: Loay Date: Wed, 3 Aug 2016 14:22:41 -0400 Subject: [PATCH 2/3] update code --- common/models/user.js | 33 +++++++++++++++++++++++---------- test/user.test.js | 24 ++++++++++++++++++++---- 2 files changed, 43 insertions(+), 14 deletions(-) diff --git a/common/models/user.js b/common/models/user.js index ecf03592..bd9bcbc6 100644 --- a/common/models/user.js +++ b/common/models/user.js @@ -560,19 +560,32 @@ module.exports = function(User) { err.code = 'EMAIL_NOT_FOUND'; return cb(err); } + if (user && user.emailVerified) { + user.accessTokens.create({ ttl: ttl }, function(err, accessToken) { + if (err) { + return cb(err); + } + cb(); + UserModel.emit('resetPasswordRequest', { + email: options.email, + user: user, + }); + }); + } else if (user && !user.emailVerified) { // create a short lived access token for temp login to change password // TODO(ritch) - eventually this should only allow password change - user.accessTokens.create({ ttl: ttl }, function(err, accessToken) { - if (err) { - return cb(err); - } - cb(); - UserModel.emit('resetPasswordRequest', { - email: options.email, - accessToken: accessToken, - user: user, + user.accessTokens.create({ ttl: ttl }, function(err, accessToken) { + if (err) { + return cb(err); + } + cb(); + UserModel.emit('resetPasswordRequest', { + email: options.email, + accessToken: accessToken, + user: user, + }); }); - }); + } }); return cb.promise; diff --git a/test/user.test.js b/test/user.test.js index 9b6873bb..b44ceca1 100644 --- a/test/user.test.js +++ b/test/user.test.js @@ -1685,7 +1685,8 @@ describe('User', function() { describe('password reset without requiring email verification', function() { var email = 'foo1@bar.com'; - it('disallows temp accessToken creation if email verification is required and done', function(done) { + it('disallows temp accessToken creation if email verification is required and done', + function(done) { var calledBack = false; User.resetPassword({ @@ -1697,15 +1698,30 @@ describe('User', function() { User.once('resetPasswordRequest', function(info) { assert(info.email); assert(!info.accessToken); - assert(!info.accessToken.id); + assert(calledBack); + done(); + }); + }); + it('creates accessToken if email has not been verified', function(done) { + var email = 'foo@bar.com'; + var calledBack = false; + + User.resetPassword({ + email: 'foo@bar.com', + }, function() { + calledBack = true; + }); + + User.once('resetPasswordRequest', function(info) { + assert(info.email); + assert(info.accessToken); + assert(info.accessToken.id); assert.equal(info.accessToken.ttl / 60, 15); assert(calledBack); - console.log(info); info.accessToken.user(function(err, user) { if (err) return done(err); assert.equal(user.email, email); - console.log(user.emailVerified); done(); }); }); From 6c1618b14e5aded5fd2bb35343ff3a26691da374 Mon Sep 17 00:00:00 2001 From: Loay Date: Thu, 4 Aug 2016 09:19:07 -0400 Subject: [PATCH 3/3] Update acesstoken function --- common/models/user.js | 12 +++--------- test/user.test.js | 1 - 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/common/models/user.js b/common/models/user.js index bd9bcbc6..b0674f13 100644 --- a/common/models/user.js +++ b/common/models/user.js @@ -561,15 +561,9 @@ module.exports = function(User) { return cb(err); } if (user && user.emailVerified) { - user.accessTokens.create({ ttl: ttl }, function(err, accessToken) { - if (err) { - return cb(err); - } - cb(); - UserModel.emit('resetPasswordRequest', { - email: options.email, - user: user, - }); + UserModel.emit('resetPasswordRequest', { + email: options.email, + user: user, }); } else if (user && !user.emailVerified) { // create a short lived access token for temp login to change password diff --git a/test/user.test.js b/test/user.test.js index b44ceca1..cd1dbea9 100644 --- a/test/user.test.js +++ b/test/user.test.js @@ -1698,7 +1698,6 @@ describe('User', function() { User.once('resetPasswordRequest', function(info) { assert(info.email); assert(!info.accessToken); - assert(calledBack); done(); }); });