From e9c5f123383e461a890c95368dce6f79d3b84660 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Wed, 12 Aug 2020 09:15:31 +0200 Subject: [PATCH] Do not reuse reset password links --- server/controllers/api/users/index.ts | 1 + server/lib/redis.ts | 14 ++++++++++++++ server/tests/api/server/email.ts | 4 ++++ 3 files changed, 19 insertions(+) diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts index 5ae0dc7a7..5b113feac 100644 --- a/server/controllers/api/users/index.ts +++ b/server/controllers/api/users/index.ts @@ -356,6 +356,7 @@ async function resetUserPassword (req: express.Request, res: express.Response) { user.password = req.body.password await user.save() + await Redis.Instance.removePasswordVerificationString(user.id) return res.status(204).end() } diff --git a/server/lib/redis.ts b/server/lib/redis.ts index 5313c4685..a075eee2d 100644 --- a/server/lib/redis.ts +++ b/server/lib/redis.ts @@ -84,6 +84,10 @@ class Redis { return generatedString } + async removePasswordVerificationString (userId: number) { + return this.removeValue(this.generateResetPasswordKey(userId)) + } + async getResetPasswordLink (userId: number) { return this.getValue(this.generateResetPasswordKey(userId)) } @@ -290,6 +294,16 @@ class Redis { }) } + private removeValue (key: string) { + return new Promise((res, rej) => { + this.client.del(this.prefix + key, err => { + if (err) return rej(err) + + return res() + }) + }) + } + private setObject (key: string, obj: { [id: string]: string }, expirationMilliseconds: number) { return new Promise((res, rej) => { this.client.hmset(this.prefix + key, obj, (err, ok) => { diff --git a/server/tests/api/server/email.ts b/server/tests/api/server/email.ts index b01a91d48..05c89d2a3 100644 --- a/server/tests/api/server/email.ts +++ b/server/tests/api/server/email.ts @@ -123,6 +123,10 @@ describe('Test emails', function () { await resetPassword(server.url, userId, verificationString, 'super_password2') }) + it('Should not reset the password with the same verification string', async function () { + await resetPassword(server.url, userId, verificationString, 'super_password3', 403) + }) + it('Should login with this new password', async function () { user.password = 'super_password2'