Do not reuse reset password links

author Chocobozzz <me@florianbigard.com>

Wed, 12 Aug 2020 07:15:31 +0000 (09:15 +0200)

committer Chocobozzz <me@florianbigard.com>

Wed, 12 Aug 2020 07:16:08 +0000 (09:16 +0200)
author Chocobozzz <me@florianbigard.com>
Wed, 12 Aug 2020 07:15:31 +0000 (09:15 +0200)
committer Chocobozzz <me@florianbigard.com>
Wed, 12 Aug 2020 07:16:08 +0000 (09:16 +0200)
diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts

index 5ae0dc7a736a530d8faf92339c8ed5c63d2426db..5b113feacded9b9c64f81fb7470c995c3349996b 100644 (file)
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@@ -356,6 +356,7 @@ async function resetUserPassword (req: express.Request, res: express.Response) {
    user.password = req.body.password
  
    await user.save()
+  await Redis.Instance.removePasswordVerificationString(user.id)
  
    return res.status(204).end()
  }
diff --git a/server/lib/redis.ts b/server/lib/redis.ts

index 5313c46857a95254df77cc2d4717e763a803db3d..a075eee2d900e9765f96d04578e2a167ecb90db4 100644 (file)
--- a/server/lib/redis.ts
+++ b/server/lib/redis.ts
@@ -84,6 +84,10 @@ class Redis {
      return generatedString
    }
  
+  async removePasswordVerificationString (userId: number) {
+    return this.removeValue(this.generateResetPasswordKey(userId))
+  }
+
    async getResetPasswordLink (userId: number) {
      return this.getValue(this.generateResetPasswordKey(userId))
    }
@@ -290,6 +294,16 @@ class Redis {
      })
    }
  
+  private removeValue (key: string) {
+    return new Promise<void>((res, rej) => {
+      this.client.del(this.prefix + key, err => {
+        if (err) return rej(err)
+
+        return res()
+      })
+    })
+  }
+
    private setObject (key: string, obj: { [id: string]: string }, expirationMilliseconds: number) {
      return new Promise<void>((res, rej) => {
        this.client.hmset(this.prefix + key, obj, (err, ok) => {
diff --git a/server/tests/api/server/email.ts b/server/tests/api/server/email.ts

index b01a91d48aea093209641062867b210ee85cb0fc..05c89d2a38b69b4a891f0c136da978df7e738ae4 100644 (file)
--- a/server/tests/api/server/email.ts
+++ b/server/tests/api/server/email.ts
@@ -123,6 +123,10 @@ describe('Test emails', function () {
        await resetPassword(server.url, userId, verificationString, 'super_password2')
      })
  
+    it('Should not reset the password with the same verification string', async function () {
+      await resetPassword(server.url, userId, verificationString, 'super_password3', 403)
+    })
+
      it('Should login with this new password', async function () {
        user.password = 'super_password2'
author	Chocobozzz <me@florianbigard.com>
	Wed, 12 Aug 2020 07:15:31 +0000 (09:15 +0200)
committer	Chocobozzz <me@florianbigard.com>
	Wed, 12 Aug 2020 07:16:08 +0000 (09:16 +0200)
server/controllers/api/users/index.ts		patch \| blob \| blame \| history
server/lib/redis.ts		patch \| blob \| blame \| history
server/tests/api/server/email.ts		patch \| blob \| blame \| history