Fix User.resetPassword to call createAccessToken()

This allows User subclasses to override the algorithm used for building one-time access tokens for password recovery.
2016-12-11 03:12:54 +00:00 · 2016-12-11 03:12:54 +00:00 · b8f9b85609
parent d35e1a1b6f
commit b8f9b85609
2 changed files with 14 additions and 1 deletions
--- a/common/models/user.js
+++ b/common/models/user.js
@ -605,7 +605,7 @@ module.exports = function(User) {
        return cb(err);
      }

-      user.accessTokens.create({ ttl: ttl }, function(err, accessToken) {
+      user.createAccessToken(ttl, function(err, accessToken) {
        if (err) {
          return cb(err);
        }
--- a/test/user.test.js
+++ b/test/user.test.js
@ -1884,6 +1884,19 @@ describe('User', function() {
        });
      });

+      it('calls createAccessToken() to create the token', function(done) {
+        User.prototype.createAccessToken = function(ttl, cb) {
+          cb(null, new AccessToken({id: 'custom-token'}));
+        };
+
+        User.resetPassword({email: options.email}, function() {});
+
+        User.once('resetPasswordRequest', function(info) {
+          expect(info.accessToken.id).to.equal('custom-token');
+          done();
+        });
+      });
+
      it('Password reset over REST rejected without email address', function(done) {
        request(app)
          .post('/test-users/reset')