Merge pull request #2671 from strongloop/Password-Security
Allow resetPassword by email only if email verification was done
This commit is contained in:
commit
4ec0ac2218
|
@ -576,6 +576,13 @@ module.exports = function(User) {
|
|||
}
|
||||
// create a short lived access token for temp login to change password
|
||||
// TODO(ritch) - eventually this should only allow password change
|
||||
if (UserModel.settings.emailVerificationRequired && !user.emailVerified) {
|
||||
err = new Error(g.f('Email has not been verified'));
|
||||
err.statusCode = 401;
|
||||
err.code = 'RESET_FAILED_EMAIL_NOT_VERIFIED';
|
||||
return cb(err);
|
||||
}
|
||||
|
||||
user.accessTokens.create({ ttl: ttl }, function(err, accessToken) {
|
||||
if (err) {
|
||||
return cb(err);
|
||||
|
|
|
@ -1763,6 +1763,43 @@ describe('User', function() {
|
|||
});
|
||||
});
|
||||
|
||||
describe('password reset with/without email verification', function() {
|
||||
it('allows resetPassword by email if email verification is required and done',
|
||||
function(done) {
|
||||
User.settings.emailVerificationRequired = true;
|
||||
var email = validCredentialsEmailVerified.email;
|
||||
|
||||
User.resetPassword({ email: email }, function(err, info) {
|
||||
if (err) return done (err);
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('disallows resetPassword by email if email verification is required and not done',
|
||||
function(done) {
|
||||
User.settings.emailVerificationRequired = true;
|
||||
var email = validCredentialsEmail;
|
||||
|
||||
User.resetPassword({ email: email }, function(err) {
|
||||
assert(err);
|
||||
assert.equal(err.code, 'RESET_FAILED_EMAIL_NOT_VERIFIED');
|
||||
assert.equal(err.statusCode, 401);
|
||||
done ();
|
||||
});
|
||||
});
|
||||
|
||||
it('allows resetPassword by email if email verification is not required',
|
||||
function(done) {
|
||||
User.settings.emailVerificationRequired = false;
|
||||
var email = validCredentialsEmail;
|
||||
|
||||
User.resetPassword({ email: email }, function(err) {
|
||||
if (err) return done (err);
|
||||
done();
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('ctor', function() {
|
||||
it('exports default Email model', function() {
|
||||
expect(User.email, 'User.email').to.be.a('function');
|
||||
|
|
Loading…
Reference in New Issue