From 403e677155fd743eecf1802fd155b9a0bf9b24ec Mon Sep 17 00:00:00 2001
From: Simo Moujami <smoujami@ziji-media.com>
Date: Fri, 30 Oct 2015 17:59:31 -0400
Subject: [PATCH] Fix user.resetPassword to fail on email not found

---
 common/models/user.js | 54 +++++++++++++++++++++++--------------------
 test/user.test.js     |  9 ++++++++
 2 files changed, 38 insertions(+), 25 deletions(-)

diff --git a/common/models/user.js b/common/models/user.js
index dd07a620..d53d0998 100644
--- a/common/models/user.js
+++ b/common/models/user.js
@@ -506,35 +506,39 @@ module.exports = function(User) {
     var ttl = UserModel.settings.resetPasswordTokenTTL || DEFAULT_RESET_PW_TTL;
 
     options = options || {};
-    if (typeof options.email === 'string') {
-      UserModel.findOne({ where: {email: options.email} }, function(err, user) {
-        if (err) {
-          cb(err);
-        } else if (user) {
-          // create a short lived access token for temp login to change password
-          // TODO(ritch) - eventually this should only allow password change
-          user.accessTokens.create({ttl: ttl}, function(err, accessToken) {
-            if (err) {
-              cb(err);
-            } else {
-              cb();
-              UserModel.emit('resetPasswordRequest', {
-                email: options.email,
-                accessToken: accessToken,
-                user: user
-              });
-            }
-          });
-        } else {
-          cb();
-        }
-      });
-    } else {
-      var err = new Error('email is required');
+    if (typeof options.email !== 'string') {
+      var err = new Error('Email is required');
       err.statusCode = 400;
       err.code = 'EMAIL_REQUIRED';
       cb(err);
+      return cb.promise;
     }
+
+    UserModel.findOne({ where: {email: options.email} }, function(err, user) {
+      if (err) {
+        return cb(err);
+      }
+      if (!user) {
+        err = new Error('Email not found');
+        err.statusCode = 404;
+        err.code = 'EMAIL_NOT_FOUND';
+        return cb(err);
+      }
+      // create a short lived access token for temp login to change password
+      // TODO(ritch) - eventually this should only allow password change
+      user.accessTokens.create({ttl: ttl}, function(err, accessToken) {
+        if (err) {
+          return cb(err);
+        }
+        cb();
+        UserModel.emit('resetPasswordRequest', {
+          email: options.email,
+          accessToken: accessToken,
+          user: user
+        });
+      });
+    });
+
     return cb.promise;
   };
 
diff --git a/test/user.test.js b/test/user.test.js
index 063d2378..42dc1368 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -1383,6 +1383,15 @@ describe('User', function() {
           });
       });
 
+      it('Reports when email is not found', function(done) {
+        User.resetPassword({ email: 'unknown@email.com' }, function(err) {
+          assert(err);
+          assert.equal(err.code, 'EMAIL_NOT_FOUND');
+          assert.equal(err.statusCode, 404);
+          done();
+        });
+      });
+
       it('Creates a temp accessToken to allow a user to change password', function(done) {
         var calledBack = false;