From 3b4cadf7a3c87978f6c4cb23fcb786ee77169e86 Mon Sep 17 00:00:00 2001
From: Ron Edgecomb <ron.edgecomb@gmail.com>
Date: Mon, 22 Dec 2014 15:39:47 -0500
Subject: [PATCH 1/7] Update to demonstrate unit test is actually failing due
 to incorrect values of invalidCredentials  - strongloop/loopback#944

---
 test/user.test.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/test/user.test.js b/test/user.test.js
index 60ef9182..a8852c83 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -223,6 +223,9 @@ describe('User', function() {
         .expect(401)
         .send(invalidCredentials)
         .end(function(err, res) {
+          if (err) {
+            return done(err);
+          }
           done();
         });
     });

From 6de1da5d223146cf9fc1152febf1ae0fa538ff29 Mon Sep 17 00:00:00 2001
From: Ron Edgecomb <ron.edgecomb@gmail.com>
Date: Mon, 22 Dec 2014 15:41:49 -0500
Subject: [PATCH 2/7] Correct invalidCredentials so that it differs from
 validCredentialsEmailVerified, unit test now passes as desired.  -
 strongloop/loopback#944

---
 test/user.test.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/user.test.js b/test/user.test.js
index a8852c83..76c6b4c9 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -11,7 +11,7 @@ describe('User', function() {
   var validCredentialsEmailVerified = {email: 'foo1@bar.com', password: 'bar1', emailVerified: true};
   var validCredentialsEmailVerifiedOverREST = {email: 'foo2@bar.com', password: 'bar2', emailVerified: true};
   var validCredentialsWithTTL = {email: 'foo@bar.com', password: 'bar', ttl: 3600};
-  var invalidCredentials = {email: 'foo1@bar.com', password: 'bar1'};
+  var invalidCredentials = {email: 'foo1@bar.com', password: 'invalid'};
   var incompleteCredentials = {password: 'bar1'};
 
   beforeEach(function() {

From 572a8bb4237fa9d953a257a8f047bdc2b79e9a85 Mon Sep 17 00:00:00 2001
From: Ron Edgecomb <ron.edgecomb@gmail.com>
Date: Mon, 22 Dec 2014 15:48:12 -0500
Subject: [PATCH 3/7] Ensure error checking logic is in place for all REST
 calls, expand formatting for consistency with existing instances.  -
 strongloop/loopback#944

---
 test/user.test.js | 44 ++++++++++++++++++++++++++++++++++++--------
 1 file changed, 36 insertions(+), 8 deletions(-)

diff --git a/test/user.test.js b/test/user.test.js
index 76c6b4c9..daacc031 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -142,6 +142,9 @@ describe('User', function() {
         .expect(200)
         .send(validCredentialsEmailVerifiedOverREST)
         .end(function(err, res) {
+          if (err) {
+            return done(err);
+          }
           assert(!res.body.emailVerified);
           done();
         });
@@ -204,7 +207,9 @@ describe('User', function() {
         .expect(200)
         .send(validCredentials)
         .end(function(err, res) {
-          if (err) return done(err);
+          if (err) {
+            return done(err);
+          }
           var accessToken = res.body;
 
           assert(accessToken.userId);
@@ -237,6 +242,9 @@ describe('User', function() {
         .expect(400)
         .send(incompleteCredentials)
         .end(function(err, res) {
+          if (err) {
+            return done(err);
+          }
           done();
         });
     });
@@ -249,6 +257,9 @@ describe('User', function() {
         .expect(400)
         .send(validCredentials)
         .end(function(err, res) {
+          if (err) {
+            return done(err);
+          }
           done();
         });
     });
@@ -260,7 +271,9 @@ describe('User', function() {
         .expect(200)
         .expect('Content-Type', /json/)
         .end(function(err, res) {
-          if (err) return done(err);
+          if (err) {
+            return done(err);
+          }
           var token = res.body;
           expect(token.user, 'body.user').to.not.equal(undefined);
           expect(token.user, 'body.user')
@@ -276,7 +289,9 @@ describe('User', function() {
         .expect(200)
         .expect('Content-Type', /json/)
         .end(function(err, res) {
-          if (err) return done(err);
+          if (err) {
+            return done(err);
+          }
           var token = res.body;
           expect(token.user, 'body.user').to.not.equal(undefined);
           expect(token.user, 'body.user')
@@ -332,7 +347,9 @@ describe('User', function() {
         .expect(200)
         .send(validCredentialsEmailVerified)
         .end(function(err, res) {
-          if (err) return done(err);
+          if (err) {
+            return done(err);
+          }
           var accessToken = res.body;
 
           assertGoodToken(accessToken);
@@ -349,6 +366,9 @@ describe('User', function() {
         .expect(401)
         .send(validCredentials)
         .end(function(err, res) {
+          if (err) {
+            return done(err);
+          }
           done();
         });
     });
@@ -538,7 +558,9 @@ describe('User', function() {
           .expect(200)
           .send({email: 'foo@bar.com', password: 'bar'})
           .end(function(err, res) {
-            if (err) return done(err);
+            if (err) {
+              return done(err);
+            }
             var accessToken = res.body;
 
             assert(accessToken.userId);
@@ -650,7 +672,9 @@ describe('User', function() {
           .expect(200)
           .send({email: 'bar@bat.com', password: 'bar'})
           .end(function(err, res) {
-            if (err) return done(err);
+            if (err) {
+              return done(err);
+            }
           });
       });
 
@@ -681,7 +705,9 @@ describe('User', function() {
           .expect(200)
           .send({email: 'bar@bat.com', password: 'bar'})
           .end(function(err, res) {
-            if (err) return done(err);
+            if (err) {
+              return done(err);
+            }
           });
       });
 
@@ -764,7 +790,9 @@ describe('User', function() {
               + '&redirect=' + encodeURIComponent(options.redirect))
             .expect(400)
             .end(function(err, res) {
-              if (err) return done(err);
+              if (err) {
+                return done(err);
+              }
               assert(res.body.error);
               done();
             });

From e4a1baa4a33b9d127d2c9847d0aaea1e4409e647 Mon Sep 17 00:00:00 2001
From: Ron Edgecomb <ron.edgecomb@gmail.com>
Date: Mon, 22 Dec 2014 16:49:12 -0500
Subject: [PATCH 4/7] Force request to send body as string, this ensures
 headers aren't automatically set to application/json  -
 strongloop/loopback#944

---
 test/user.test.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/user.test.js b/test/user.test.js
index daacc031..d88f0f33 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -255,7 +255,7 @@ describe('User', function() {
         .set('Content-Type', null)
         .expect('Content-Type', /json/)
         .expect(400)
-        .send(validCredentials)
+        .send(JSON.stringify(validCredentials))
         .end(function(err, res) {
           if (err) {
             return done(err);

From 36112d2b509eded44f107630d63621cd78d63a4d Mon Sep 17 00:00:00 2001
From: Ron Edgecomb <ron.edgecomb@gmail.com>
Date: Mon, 22 Dec 2014 17:20:15 -0500
Subject: [PATCH 5/7] Simplify the API test for invalidCredentials (removed
 create), move above REST calls for better grouping of tests   -
 strongloop/loopback#944

---
 test/user.test.js | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/test/user.test.js b/test/user.test.js
index d88f0f33..cf96924a 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -200,6 +200,14 @@ describe('User', function() {
       });
     });
 
+    it('Login should only allow correct credentials', function(done) {
+      User.login(invalidCredentials, function(err, accessToken) {
+        assert(err);
+        assert(!accessToken);
+        done();
+      });
+    });
+
     it('Login a user over REST by providing credentials', function(done) {
       request(app)
         .post('/users/login')
@@ -300,15 +308,6 @@ describe('User', function() {
         });
     });
 
-    it('Login should only allow correct credentials', function(done) {
-      User.create({email: 'foo22@bar.com', password: 'bar'}, function(user, err) {
-        User.login({email: 'foo44@bar.com', password: 'bar'}, function(err, accessToken) {
-          assert(err);
-          assert(!accessToken);
-          done();
-        });
-      });
-    });
   });
 
   function assertGoodToken(accessToken) {

From 9ac620c11340364733d6aa8ea6730fe67d9c38b5 Mon Sep 17 00:00:00 2001
From: Ron Edgecomb <ron.edgecomb@gmail.com>
Date: Mon, 22 Dec 2014 17:24:30 -0500
Subject: [PATCH 6/7] Small formatting update to have consistency with
 identical logic in other areas.   - strongloop/loopback#944

---
 test/user.test.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/test/user.test.js b/test/user.test.js
index cf96924a..260e9c99 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -582,7 +582,9 @@ describe('User', function() {
       assert(token);
 
       return function(err) {
-        if (err) return done(err);
+        if (err) {
+          return done(err);
+        }
 
         AccessToken.findById(token, function(err, accessToken) {
           assert(!accessToken, 'accessToken should not exist after logging out');

From 62bb63b4f252a9ddac6c1296bc38ff90a0549bc5 Mon Sep 17 00:00:00 2001
From: Ron Edgecomb <ron.edgecomb@gmail.com>
Date: Mon, 22 Dec 2014 22:12:50 -0500
Subject: [PATCH 7/7] Additional password reset unit tests for API and REST  -
 strongloop/loopback#944

---
 test/user.test.js | 39 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)

diff --git a/test/user.test.js b/test/user.test.js
index 260e9c99..a3b43c93 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -804,9 +804,17 @@ describe('User', function() {
 
   describe('Password Reset', function() {
     describe('User.resetPassword(options, cb)', function() {
+      var email = 'foo@bar.com';
+
+      it('Requires email address to reset password', function(done) {
+        User.resetPassword({ }, function(err) {
+          assert(err);
+          done();
+        });
+      });
+
       it('Creates a temp accessToken to allow a user to change password', function(done) {
         var calledBack = false;
-        var email = 'foo@bar.com';
 
         User.resetPassword({
           email: email
@@ -826,6 +834,35 @@ describe('User', function() {
           });
         });
       });
+
+      it('Password reset over REST rejected without email address', function(done) {
+        request(app)
+          .post('/users/reset')
+          .expect('Content-Type', /json/)
+          .expect(400)
+          .send({ })
+          .end(function(err, res) {
+            if (err) {
+              return done(err);
+            }
+            done();
+          });
+      });
+
+      it('Password reset over REST requires email address', function(done) {
+        request(app)
+          .post('/users/reset')
+          .expect('Content-Type', /json/)
+          .expect(204)
+          .send({ email: email })
+          .end(function(err, res) {
+            if (err) {
+              return done(err);
+            }
+            assert.deepEqual(res.body, { });
+            done();
+          });
+      });
     });
   });