Merge pull request #3195 from strongloop/backport/fix-hash-path-in-redirect

bajtos · web-flow · commit 42780567a82c · 2017-02-09T15:20:52.000+01:00
Fix creation of verification links
diff --git a/common/models/user.js b/common/models/user.js
@@ -13,6 +13,7 @@ var isEmail = require('isemail');
 var loopback = require('../../lib/loopback');
 var utils = require('../../lib/utils');
 var path = require('path');
+var qs = require('querystring');
 var SALT_WORK_FACTOR = 10;
 var crypto = require('crypto');
 var MAX_PASSWORD_LENGTH = 72;
@@ -428,10 +429,10 @@ module.exports = function(User) {
       options.host +
       displayPort +
       urlPath +
-      '?uid=' +
-      options.user[pkName] +
-      '&redirect=' +
-      options.redirect;
+      '?' + qs.stringify({
+        uid: options.user[pkName],
+        redirect: options.redirect,
+      });
 
     options.templateFn = options.templateFn || createVerificationEmailBody;
 
diff --git a/test/user.test.js b/test/user.test.js
@@ -7,6 +7,7 @@ require('./support');
 var loopback = require('../');
 var User, AccessToken;
 var async = require('async');
+var url = require('url');
 
 describe('User', function() {
   this.timeout(10000);
@@ -1700,6 +1701,29 @@ describe('User', function() {
             expect(result.email).to.not.have.property('template');
           });
       });
+
+      it('allows hash fragment in redirectUrl', function() {
+        return User.create({email: 'test@example.com', password: 'pass'})
+          .then(function(user) {
+            var actualVerifyHref;
+            return user.verify({
+              type: 'email',
+              to: user.email,
+              from: 'noreply@myapp.org',
+              redirect: '#/some-path?a=1&b=2',
+              templateFn: function(options, cb) {
+                actualVerifyHref = options.verifyHref;
+                cb(null, 'dummy body');
+              },
+            })
+            .then(function() { return actualVerifyHref; });
+          })
+          .then(function(verifyHref) {
+            var parsed = url.parse(verifyHref, true);
+            expect(parsed.query.redirect, 'redirect query')
+              .to.equal('#/some-path?a=1&b=2');
+          });
+      });
     });
 
     describe('User.confirm(options, fn)', function() {
