Do not reuse reset password links

2020-08-12 09:15:31 +02:00 · 2020-08-12 09:15:31 +02:00 · e9c5f12338
parent 857961f0ee
commit e9c5f12338
3 changed files with 19 additions and 0 deletions
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@ -356,6 +356,7 @@ async function resetUserPassword (req: express.Request, res: express.Response) {
  user.password = req.body.password

  await user.save()
+  await Redis.Instance.removePasswordVerificationString(user.id)

  return res.status(204).end()
 }
--- a/server/lib/redis.ts
+++ b/server/lib/redis.ts
@ -84,6 +84,10 @@ class Redis {
    return generatedString
  }

+  async removePasswordVerificationString (userId: number) {
+    return this.removeValue(this.generateResetPasswordKey(userId))
+  }
+
  async getResetPasswordLink (userId: number) {
    return this.getValue(this.generateResetPasswordKey(userId))
  }
@ -290,6 +294,16 @@ class Redis {
    })
  }

+  private removeValue (key: string) {
+    return new Promise<void>((res, rej) => {
+      this.client.del(this.prefix + key, err => {
+        if (err) return rej(err)
+
+        return res()
+      })
+    })
+  }
+
  private setObject (key: string, obj: { [id: string]: string }, expirationMilliseconds: number) {
    return new Promise<void>((res, rej) => {
      this.client.hmset(this.prefix + key, obj, (err, ok) => {
--- a/server/tests/api/server/email.ts
+++ b/server/tests/api/server/email.ts
@ -123,6 +123,10 @@ describe('Test emails', function () {
      await resetPassword(server.url, userId, verificationString, 'super_password2')
    })

+    it('Should not reset the password with the same verification string', async function () {
+      await resetPassword(server.url, userId, verificationString, 'super_password3', 403)
+    })
+
    it('Should login with this new password', async function () {
      user.password = 'super_password2'