1
0
Fork 0

Do not reuse reset password links

This commit is contained in:
Chocobozzz 2020-08-12 09:15:31 +02:00
parent 857961f0ee
commit e9c5f12338
No known key found for this signature in database
GPG Key ID: 583A612D890159BE
3 changed files with 19 additions and 0 deletions

View File

@ -356,6 +356,7 @@ async function resetUserPassword (req: express.Request, res: express.Response) {
user.password = req.body.password
await user.save()
await Redis.Instance.removePasswordVerificationString(user.id)
return res.status(204).end()
}

View File

@ -84,6 +84,10 @@ class Redis {
return generatedString
}
async removePasswordVerificationString (userId: number) {
return this.removeValue(this.generateResetPasswordKey(userId))
}
async getResetPasswordLink (userId: number) {
return this.getValue(this.generateResetPasswordKey(userId))
}
@ -290,6 +294,16 @@ class Redis {
})
}
private removeValue (key: string) {
return new Promise<void>((res, rej) => {
this.client.del(this.prefix + key, err => {
if (err) return rej(err)
return res()
})
})
}
private setObject (key: string, obj: { [id: string]: string }, expirationMilliseconds: number) {
return new Promise<void>((res, rej) => {
this.client.hmset(this.prefix + key, obj, (err, ok) => {

View File

@ -123,6 +123,10 @@ describe('Test emails', function () {
await resetPassword(server.url, userId, verificationString, 'super_password2')
})
it('Should not reset the password with the same verification string', async function () {
await resetPassword(server.url, userId, verificationString, 'super_password3', 403)
})
it('Should login with this new password', async function () {
user.password = 'super_password2'