From 21b8609ee23e8c0113bf2086235fa6490d25681d Mon Sep 17 00:00:00 2001
From: Raymond Feng <raymond@strongloop.com>
Date: Wed, 16 Jul 2014 22:42:05 -0700
Subject: [PATCH] Report error for User.confirm()

See https://github.com/strongloop/loopback/issues/377
---
 lib/models/user.js | 13 +++++--
 test/user.test.js  | 90 ++++++++++++++++++++++++++++++++++------------
 2 files changed, 77 insertions(+), 26 deletions(-)

diff --git a/lib/models/user.js b/lib/models/user.js
index e1518bd4..8b47b510 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -358,18 +358,25 @@ User.confirm = function (uid, token, redirect, fn) {
     if(err) {
       fn(err);
     } else {
-      if(user.verificationToken === token) {
+      if(user && user.verificationToken === token) {
         user.verificationToken = undefined;
         user.emailVerified = true;
         user.save(function (err) {
           if(err) {
-            fn(err)
+            fn(err);
           } else {
             fn();
           }
         });
       } else {
-        fn(new Error('invalid token'));
+        if (user) {
+          err = new Error('Invalid token: ' + token);
+          err.statusCode = 400;
+        } else {
+          err = new Error('User not found: ' + uid);
+          err.statusCode = 404;
+        }
+        fn(err);
       }
     }
   });
diff --git a/test/user.test.js b/test/user.test.js
index 8b2e7b92..1b6785c8 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -426,7 +426,7 @@ describe('User', function(){
   });
   
   describe('Verification', function(){
-    
+
     describe('user.verify(options, fn)', function(){
       it('Verify a user\'s email address', function(done) {
         User.afterRemote('create', function(ctx, user, next) {
@@ -445,8 +445,6 @@ describe('User', function(){
             assert(result.email);
             assert(result.email.message);
             assert(result.token);
-            
-            
             assert(~result.email.message.indexOf('To: bar@bat.com'));
             done();
           });
@@ -462,13 +460,15 @@ describe('User', function(){
           });
       });
     });
-  
-    describe('User.confirm(options, fn)', function(){
-      it('Confirm a user verification', function(done) {
-        User.afterRemote('create', function(ctx, user, next) {
+
+    describe('User.confirm(options, fn)', function () {
+      var options;
+
+      function testConfirm(testFunc, done) {
+        User.afterRemote('create', function (ctx, user, next) {
           assert(user, 'afterRemote should include result');
-          
-          var options = {
+
+          options = {
             type: 'email',
             to: user.email,
             from: 'noreply@myapp.org',
@@ -476,29 +476,73 @@ describe('User', function(){
             protocol: ctx.req.protocol,
             host: ctx.req.get('host')
           };
-      
+
           user.verify(options, function (err, result) {
-            if(err) return done(err);
-            
-            request(app)
-              .get('/users/confirm?uid=' + result.uid + '&token=' + encodeURIComponent(result.token) + '&redirect=' + encodeURIComponent(options.redirect))
-              .expect(302)
-              .expect('location', options.redirect)
-              .end(function(err, res){
-                if(err) return done(err);
-                done();
-              });
+            if (err) {
+              return done(err);
+            }
+            testFunc(result, done);
           });
         });
-            
+
         request(app)
           .post('/users')
           .expect('Content-Type', /json/)
           .expect(302)
           .send({email: 'bar@bat.com', password: 'bar'})
-          .end(function(err, res){
-            if(err) return done(err);
+          .end(function (err, res) {
+            if (err) {
+              return done(err);
+            }
           });
+      }
+
+      it('Confirm a user verification', function (done) {
+        testConfirm(function (result, done) {
+          request(app)
+            .get('/users/confirm?uid=' + (result.uid )
+              + '&token=' + encodeURIComponent(result.token)
+              + '&redirect=' + encodeURIComponent(options.redirect))
+            .expect(302)
+            .end(function (err, res) {
+              if (err) {
+                return done(err);
+              }
+              done();
+            });
+        }, done);
+      });
+
+      it('Report error for invalid user id during verification', function (done) {
+        testConfirm(function (result, done) {
+          request(app)
+            .get('/users/confirm?uid=' + (result.uid + '_invalid')
+              + '&token=' + encodeURIComponent(result.token)
+              + '&redirect=' + encodeURIComponent(options.redirect))
+            .expect(404)
+            .end(function (err, res) {
+              if (err) {
+                return done(err);
+              }
+              assert(res.body.error);
+              done();
+            });
+        }, done);
+      });
+
+      it('Report error for invalid token during verification', function (done) {
+        testConfirm(function (result, done) {
+          request(app)
+            .get('/users/confirm?uid=' + result.uid
+              + '&token=' + encodeURIComponent(result.token) + '_invalid'
+              + '&redirect=' + encodeURIComponent(options.redirect))
+            .expect(400)
+            .end(function (err, res) {
+              if (err) return done(err);
+              assert(res.body.error);
+              done();
+            });
+        }, done);
       });
     });
   });