diff options
| author | Chocobozzz <me@florianbigard.com> | 2020-08-12 09:15:31 +0200 |
|---|---|---|
| committer | Chocobozzz <me@florianbigard.com> | 2020-08-12 09:16:08 +0200 |
| commit | e9c5f123383e461a890c95368dce6f79d3b84660 (patch) | |
| tree | b6c55e9572a3566d4f2defbff314ac8414be8212 /server | |
| parent | 857961f0ee39f90dc3267cebd2b5e3f718115d06 (diff) | |
| download | PeerTube-e9c5f123383e461a890c95368dce6f79d3b84660.tar.gz PeerTube-e9c5f123383e461a890c95368dce6f79d3b84660.tar.zst PeerTube-e9c5f123383e461a890c95368dce6f79d3b84660.zip | |
Do not reuse reset password links
Diffstat (limited to 'server')
| -rw-r--r-- | server/controllers/api/users/index.ts | 1 | ||||
| -rw-r--r-- | server/lib/redis.ts | 14 | ||||
| -rw-r--r-- | server/tests/api/server/email.ts | 4 |
3 files changed, 19 insertions, 0 deletions
diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts index 5ae0dc7a7..5b113feac 100644 --- a/server/controllers/api/users/index.ts +++ b/server/controllers/api/users/index.ts | |||
| @@ -356,6 +356,7 @@ async function resetUserPassword (req: express.Request, res: express.Response) { | |||
| 356 | user.password = req.body.password | 356 | user.password = req.body.password |
| 357 | 357 | ||
| 358 | await user.save() | 358 | await user.save() |
| 359 | await Redis.Instance.removePasswordVerificationString(user.id) | ||
| 359 | 360 | ||
| 360 | return res.status(204).end() | 361 | return res.status(204).end() |
| 361 | } | 362 | } |
diff --git a/server/lib/redis.ts b/server/lib/redis.ts index 5313c4685..a075eee2d 100644 --- a/server/lib/redis.ts +++ b/server/lib/redis.ts | |||
| @@ -84,6 +84,10 @@ class Redis { | |||
| 84 | return generatedString | 84 | return generatedString |
| 85 | } | 85 | } |
| 86 | 86 | ||
| 87 | async removePasswordVerificationString (userId: number) { | ||
| 88 | return this.removeValue(this.generateResetPasswordKey(userId)) | ||
| 89 | } | ||
| 90 | |||
| 87 | async getResetPasswordLink (userId: number) { | 91 | async getResetPasswordLink (userId: number) { |
| 88 | return this.getValue(this.generateResetPasswordKey(userId)) | 92 | return this.getValue(this.generateResetPasswordKey(userId)) |
| 89 | } | 93 | } |
| @@ -290,6 +294,16 @@ class Redis { | |||
| 290 | }) | 294 | }) |
| 291 | } | 295 | } |
| 292 | 296 | ||
| 297 | private removeValue (key: string) { | ||
| 298 | return new Promise<void>((res, rej) => { | ||
| 299 | this.client.del(this.prefix + key, err => { | ||
| 300 | if (err) return rej(err) | ||
| 301 | |||
| 302 | return res() | ||
| 303 | }) | ||
| 304 | }) | ||
| 305 | } | ||
| 306 | |||
| 293 | private setObject (key: string, obj: { [id: string]: string }, expirationMilliseconds: number) { | 307 | private setObject (key: string, obj: { [id: string]: string }, expirationMilliseconds: number) { |
| 294 | return new Promise<void>((res, rej) => { | 308 | return new Promise<void>((res, rej) => { |
| 295 | this.client.hmset(this.prefix + key, obj, (err, ok) => { | 309 | this.client.hmset(this.prefix + key, obj, (err, ok) => { |
diff --git a/server/tests/api/server/email.ts b/server/tests/api/server/email.ts index b01a91d48..05c89d2a3 100644 --- a/server/tests/api/server/email.ts +++ b/server/tests/api/server/email.ts | |||
| @@ -123,6 +123,10 @@ describe('Test emails', function () { | |||
| 123 | await resetPassword(server.url, userId, verificationString, 'super_password2') | 123 | await resetPassword(server.url, userId, verificationString, 'super_password2') |
| 124 | }) | 124 | }) |
| 125 | 125 | ||
| 126 | it('Should not reset the password with the same verification string', async function () { | ||
| 127 | await resetPassword(server.url, userId, verificationString, 'super_password3', 403) | ||
| 128 | }) | ||
| 129 | |||
| 126 | it('Should login with this new password', async function () { | 130 | it('Should login with this new password', async function () { |
| 127 | user.password = 'super_password2' | 131 | user.password = 'super_password2' |
| 128 | 132 | ||