verdnatura-mirror
/
loopback
mirror of https://github.com/strongloop/loopback.git
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2671 from strongloop/Password-Security 

Allow resetPassword by email only if email verification was done
This commit is contained in:
Loay 2016-08-26 15:58:39 -04:00 committed by GitHub
parent 98eed7238d 5567917c12
commit 4ec0ac2218
2 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
common/models/user.js
View File

@ -576,6 +576,13 @@ module.exports = function(User) {
} }
// create a short lived access token for temp login to change password // create a short lived access token for temp login to change password
// TODO(ritch) - eventually this should only allow password change // TODO(ritch) - eventually this should only allow password change
if (UserModel.settings.emailVerificationRequired && !user.emailVerified) {
err = new Error(g.f('Email has not been verified'));
err.statusCode = 401;
err.code = 'RESET_FAILED_EMAIL_NOT_VERIFIED';
return cb(err);
}
user.accessTokens.create({ ttl: ttl }, function(err, accessToken) { user.accessTokens.create({ ttl: ttl }, function(err, accessToken) {
if (err) { if (err) {
return cb(err); return cb(err);

37
test/user.test.js
View File

@ -1763,6 +1763,43 @@ describe('User', function() {
}); });
}); });
describe('password reset with/without email verification', function() {
it('allows resetPassword by email if email verification is required and done',
function(done) {
User.settings.emailVerificationRequired = true;
var email = validCredentialsEmailVerified.email;
User.resetPassword({ email: email }, function(err, info) {
if (err) return done (err);
done();
});
});
it('disallows resetPassword by email if email verification is required and not done',
function(done) {
User.settings.emailVerificationRequired = true;
var email = validCredentialsEmail;
User.resetPassword({ email: email }, function(err) {
assert(err);
assert.equal(err.code, 'RESET_FAILED_EMAIL_NOT_VERIFIED');
assert.equal(err.statusCode, 401);
done ();
});
});
it('allows resetPassword by email if email verification is not required',
function(done) {
User.settings.emailVerificationRequired = false;
var email = validCredentialsEmail;
User.resetPassword({ email: email }, function(err) {
if (err) return done (err);
done();
});
});
});
describe('ctor', function() { describe('ctor', function() {
it('exports default Email model', function() { it('exports default Email model', function() {
expect(User.email, 'User.email').to.be.a('function'); expect(User.email, 'User.email').to.be.a('function');