diff options
author | Chocobozzz <me@florianbigard.com> | 2020-08-12 09:15:31 +0200 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2020-08-12 09:16:08 +0200 |
commit | e9c5f123383e461a890c95368dce6f79d3b84660 (patch) | |
tree | b6c55e9572a3566d4f2defbff314ac8414be8212 | |
parent | 857961f0ee39f90dc3267cebd2b5e3f718115d06 (diff) | |
download | PeerTube-e9c5f123383e461a890c95368dce6f79d3b84660.tar.gz PeerTube-e9c5f123383e461a890c95368dce6f79d3b84660.tar.zst PeerTube-e9c5f123383e461a890c95368dce6f79d3b84660.zip |
Do not reuse reset password links
-rw-r--r-- | server/controllers/api/users/index.ts | 1 | ||||
-rw-r--r-- | server/lib/redis.ts | 14 | ||||
-rw-r--r-- | server/tests/api/server/email.ts | 4 |
3 files changed, 19 insertions, 0 deletions
diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts index 5ae0dc7a7..5b113feac 100644 --- a/server/controllers/api/users/index.ts +++ b/server/controllers/api/users/index.ts | |||
@@ -356,6 +356,7 @@ async function resetUserPassword (req: express.Request, res: express.Response) { | |||
356 | user.password = req.body.password | 356 | user.password = req.body.password |
357 | 357 | ||
358 | await user.save() | 358 | await user.save() |
359 | await Redis.Instance.removePasswordVerificationString(user.id) | ||
359 | 360 | ||
360 | return res.status(204).end() | 361 | return res.status(204).end() |
361 | } | 362 | } |
diff --git a/server/lib/redis.ts b/server/lib/redis.ts index 5313c4685..a075eee2d 100644 --- a/server/lib/redis.ts +++ b/server/lib/redis.ts | |||
@@ -84,6 +84,10 @@ class Redis { | |||
84 | return generatedString | 84 | return generatedString |
85 | } | 85 | } |
86 | 86 | ||
87 | async removePasswordVerificationString (userId: number) { | ||
88 | return this.removeValue(this.generateResetPasswordKey(userId)) | ||
89 | } | ||
90 | |||
87 | async getResetPasswordLink (userId: number) { | 91 | async getResetPasswordLink (userId: number) { |
88 | return this.getValue(this.generateResetPasswordKey(userId)) | 92 | return this.getValue(this.generateResetPasswordKey(userId)) |
89 | } | 93 | } |
@@ -290,6 +294,16 @@ class Redis { | |||
290 | }) | 294 | }) |
291 | } | 295 | } |
292 | 296 | ||
297 | private removeValue (key: string) { | ||
298 | return new Promise<void>((res, rej) => { | ||
299 | this.client.del(this.prefix + key, err => { | ||
300 | if (err) return rej(err) | ||
301 | |||
302 | return res() | ||
303 | }) | ||
304 | }) | ||
305 | } | ||
306 | |||
293 | private setObject (key: string, obj: { [id: string]: string }, expirationMilliseconds: number) { | 307 | private setObject (key: string, obj: { [id: string]: string }, expirationMilliseconds: number) { |
294 | return new Promise<void>((res, rej) => { | 308 | return new Promise<void>((res, rej) => { |
295 | this.client.hmset(this.prefix + key, obj, (err, ok) => { | 309 | this.client.hmset(this.prefix + key, obj, (err, ok) => { |
diff --git a/server/tests/api/server/email.ts b/server/tests/api/server/email.ts index b01a91d48..05c89d2a3 100644 --- a/server/tests/api/server/email.ts +++ b/server/tests/api/server/email.ts | |||
@@ -123,6 +123,10 @@ describe('Test emails', function () { | |||
123 | await resetPassword(server.url, userId, verificationString, 'super_password2') | 123 | await resetPassword(server.url, userId, verificationString, 'super_password2') |
124 | }) | 124 | }) |
125 | 125 | ||
126 | it('Should not reset the password with the same verification string', async function () { | ||
127 | await resetPassword(server.url, userId, verificationString, 'super_password3', 403) | ||
128 | }) | ||
129 | |||
126 | it('Should login with this new password', async function () { | 130 | it('Should login with this new password', async function () { |
127 | user.password = 'super_password2' | 131 | user.password = 'super_password2' |
128 | 132 | ||