Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix field name of reset password token, add verifier and set status #161

Closed
wants to merge 8 commits into from
Closed

fix field name of reset password token, add verifier and set status #161

Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
bef4fde
fix field name of reset password token, add verifier and set status
tomivm Apr 14, 2021
c83815f
delete Private info on res of /forgot and run prettier
tomivm Apr 16, 2021
e71200c
add expire time verification
tomivm Apr 16, 2021
8d03386
Merge branch 'master' into 160-fix-store-password-vulnerability
tomivm Oct 25, 2021
303212e
allow users reset password more than once
tomivm Oct 30, 2021
fa93b3e
fix test
tomivm Oct 30, 2021
4064bd2
losted requested changes
tomivm Oct 30, 2021
d50ec5e
Merge branch 'master' into 160-fix-store-password-vulnerability
martinbedouret Nov 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 12 additions & 7 deletions api/controllers/user.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -419,7 +419,7 @@ async function forgotPassword(req, res) {
const response = {
success: 1,
userid: user.id,
tomivm marked this conversation as resolved.
Show resolved Hide resolved
url: token,
//url: token,
tomivm marked this conversation as resolved.
Show resolved Hide resolved
message: 'Success! Check your mail to reset your password.'
};
return res.status(200).json(response);
Expand All @@ -436,7 +436,6 @@ async function forgotPassword(req, res) {
}
async function storePassword(req, res) {
const { userid, password, token } = req.body;

try {
const resetPassword = await ResetPassword.findOne({
userId: userid,
Expand All @@ -448,10 +447,16 @@ async function storePassword(req, res) {
error: err.message
});
}
// the token and the hashed token in the db are verified befor updating the password
bcrypt.compare(token, resetPassword.token, function(errBcrypt, resBcrypt) {
let expireTime = moment.utc(resetPassword.expire);
// the token and the hashed token in the db are verified before updating the password
bcrypt.compare(token, resetPassword.resetPasswordToken, function(errBcrypt, resBcrypt) {
let expireTime = moment.utc(resetPassword.expire); // expireTime and currentTime is never used
tomivm marked this conversation as resolved.
Show resolved Hide resolved
let currentTime = new Date();
if(!resBcrypt){
tomivm marked this conversation as resolved.
Show resolved Hide resolved
return res.status(500).json({
message: 'Error resetting user password.',
error: 'invalid Token'
});
}
//hashing the password to store in the db node.js
bcrypt.genSalt(8, function(err, salt) {
bcrypt.hash(password, salt, async function(err, hash) {
Expand All @@ -464,8 +469,8 @@ async function storePassword(req, res) {
message: 'No user found with that ID.'
});
}
ResetPassword.findOneAndUpdate(
{ id: resetPassword.id },
ResetPassword.findByIdAndUpdate(
resetPassword._id,
{ status: true },
function(err) {
if (err) {
Expand Down