Reset Password/Email verification

common/models/user.js

@@ -574,14 +574,14 @@ module.exports = function(User) {
         err.code = 'EMAIL_NOT_FOUND';
         return cb(err);
       }
-      if (user && user.emailVerified) {
-        UserModel.emit('resetPasswordRequest', {
-          email: options.email,
-          user: user,
-        });
-      } else if (user && !user.emailVerified) {
       // create a short lived access token for temp login to change password
       // TODO(ritch) - eventually this should only allow password change
+      if (UserModel.settings.emailVerificationRequired && !user.emailVerified) {
+        err = new Error(g.f('Email has not been verified'));
+        err.statusCode = 401;
+        err.code = 'RESET_FAILED_EMAIL_NOT_VERIFIED';
+        cb(err);
+      } else {
         user.accessTokens.create({ ttl: ttl }, function(err, accessToken) {
           if (err) {
             return cb(err);

example/mobile-models/app.js

@@ -18,9 +18,8 @@ var Application = models.Application(dataSource);
 
 app.model(Application);
 
-
 var data = { pushSettings: [
-    {   'platform': 'apns',
+    { 'platform': 'apns',
         'apns': {
           'pushOptions': {
             'gateway': 'gateway.sandbox.push.apple.com',
@@ -42,7 +41,6 @@ Application.create(data, function(err, data) {
   g.log('Created: %s', data.toObject());
 });
 
-
 Application.register('rfeng', 'MyApp', { description: g.f('My first mobile application') },
 function(err, result) {
   console.log(result.toObject());

example/simple-data-source/app.js

@@ -10,7 +10,6 @@ var app = loopback();
 
 app.use(loopback.rest());
 
-
 var dataSource = app.dataSource('db', { adapter: 'memory' });
 
 var Color = dataSource.define('color', {

lib/persisted-model.js

@@ -718,7 +718,6 @@ module.exports = function(registry) {
 
     setRemoting(PersistedModel, 'replaceById', replaceByIdOptions);
 
-
     setRemoting(PersistedModel, 'find', {
       description: 'Find all instances of the model matched by filter from the data source.',
       accessType: 'READ',

test/replication.rest.test.js

@@ -494,7 +494,7 @@ describe('Replication over REST', function() {
     });
 
     ServerCar = loopback.createModel('ServerCar', CAR_PROPS, CAR_OPTS);
-    serverApp.model(ServerCar, {  dataSource: 'db', public: true });
+    serverApp.model(ServerCar, { dataSource: 'db', public: true });
 
     serverApp.use(function(req, res, next) {
       debug(req.method + ' ' + req.path);
@@ -535,7 +535,7 @@ describe('Replication over REST', function() {
 
     LocalCar = loopback.createModel('LocalCar', CAR_PROPS, CAR_OPTS);
     LocalCar.Change.Checkpoint = ClientCheckpoint;
-    clientApp.model(LocalCar, {  dataSource: 'db' });
+    clientApp.model(LocalCar, { dataSource: 'db' });
 
     var remoteOpts = createRemoteModelOpts(USER_OPTS);
     RemoteUser = loopback.createModel('RemoteUser', USER_PROPS, remoteOpts);
@@ -543,7 +543,7 @@ describe('Replication over REST', function() {
 
     remoteOpts = createRemoteModelOpts(CAR_OPTS);
     RemoteCar = loopback.createModel('RemoteCar', CAR_PROPS, remoteOpts);
-    clientApp.model(RemoteCar, {  dataSource: 'remote' });
+    clientApp.model(RemoteCar, { dataSource: 'remote' });
   }
 
   function createRemoteModelOpts(modelOpts) {

test/user.test.js

@@ -1762,44 +1762,48 @@ describe('User', function() {
     });
   });
 
-  describe('password reset without requiring email verification', function() {
-    var email = 'foo1@bar.com';
-    it('disallows temp accessToken creation if email verification is required and done',
+  describe('password reset with/without email verification', function() {
+    it('allows resetPassword by email if email verification is required and done',
     function(done) {
+      User.settings.emailVerificationRequired = true;
+      var email = 'foo1@bar.com';
       var calledBack = false;
 
-      User.resetPassword({
-        email: 'foo1@bar.com',
-      }, function() {
-        calledBack = true;
-      });
-
-      User.once('resetPasswordRequest', function(info) {
-        assert(info.email);
-        assert(!info.accessToken);
-        done();
-      });
-    });
-    it('creates accessToken if email has not been verified', function(done) {
-      var email = 'foo@bar.com';
-      var calledBack = false;
-
-      User.resetPassword({
-        email: 'foo@bar.com',
-      }, function() {
+      User.resetPassword({ email: 'foo1@bar.com' }, function() {
         calledBack = true;
       });
 
       User.once('resetPasswordRequest', function(info) {
         assert(info.email);
         assert(info.accessToken);
-        assert(info.accessToken.id);
-        assert.equal(info.accessToken.ttl / 60, 15);
-        assert(calledBack);
-        info.accessToken.user(function(err, user) {
-          if (err) return done(err);
+        assert(info.user.emailVerified);
+        done();
+      });
+    });
 
-          assert.equal(user.email, email);
+    it('disallows resetPassword by email if email verification is required and not done',
+    function(done) {
+      User.settings.emailVerificationRequired = true;
+      var email = 'foo@bar.com';
+
+      User.resetPassword({ email: 'foo@bar.com' }, function(err) {
+        assert(err);
+        assert.equal(err.code, 'RESET_FAILED_EMAIL_NOT_VERIFIED');
+        assert.equal(err.statusCode, 401);
+        done ();
+      });
+    });
+
+    it('allows resetPassword by email if email verification is not required',
+    function(done) {
+      User.settings.emailVerificationRequired = false;
+      var email = 'foo@bar.com';
+
+      User.resetPassword({ email: 'foo@bar.com' }, function(err) {
+        User.once('resetPasswordRequest', function(info) {
+          assert(info.email);
+          assert(info.accessToken);
+          assert(!info.user.emailVerified);
           done();
         });
       });