Skip to content

Commit 4ec0ac2

Browse files
loayloay
authored
Merge pull request #2671 from strongloop/Password-Security
Allow resetPassword by email only if email verification was done
2 parents 98eed72 + 5567917 commit 4ec0ac2

File tree

2 files changed

+44
-0
lines changed

2 files changed

+44
-0
lines changed

common/models/user.js

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -576,6 +576,13 @@ module.exports = function(User) {
576576
}
577577
// create a short lived access token for temp login to change password
578578
// TODO(ritch) - eventually this should only allow password change
579+
if (UserModel.settings.emailVerificationRequired && !user.emailVerified) {
580+
err = new Error(g.f('Email has not been verified'));
581+
err.statusCode = 401;
582+
err.code = 'RESET_FAILED_EMAIL_NOT_VERIFIED';
583+
return cb(err);
584+
}
585+
579586
user.accessTokens.create({ ttl: ttl }, function(err, accessToken) {
580587
if (err) {
581588
return cb(err);

test/user.test.js

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1763,6 +1763,43 @@ describe('User', function() {
17631763
});
17641764
});
17651765

1766+
describe('password reset with/without email verification', function() {
1767+
it('allows resetPassword by email if email verification is required and done',
1768+
function(done) {
1769+
User.settings.emailVerificationRequired = true;
1770+
var email = validCredentialsEmailVerified.email;
1771+
1772+
User.resetPassword({ email: email }, function(err, info) {
1773+
if (err) return done (err);
1774+
done();
1775+
});
1776+
});
1777+
1778+
it('disallows resetPassword by email if email verification is required and not done',
1779+
function(done) {
1780+
User.settings.emailVerificationRequired = true;
1781+
var email = validCredentialsEmail;
1782+
1783+
User.resetPassword({ email: email }, function(err) {
1784+
assert(err);
1785+
assert.equal(err.code, 'RESET_FAILED_EMAIL_NOT_VERIFIED');
1786+
assert.equal(err.statusCode, 401);
1787+
done ();
1788+
});
1789+
});
1790+
1791+
it('allows resetPassword by email if email verification is not required',
1792+
function(done) {
1793+
User.settings.emailVerificationRequired = false;
1794+
var email = validCredentialsEmail;
1795+
1796+
User.resetPassword({ email: email }, function(err) {
1797+
if (err) return done (err);
1798+
done();
1799+
});
1800+
});
1801+
});
1802+
17661803
describe('ctor', function() {
17671804
it('exports default Email model', function() {
17681805
expect(User.email, 'User.email').to.be.a('function');

0 commit comments

Comments
 (0)