jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add email query param to reset code path

Browse Source 
This reduces any attack surface
This commit is contained in:
Girish Ramakrishnan
2018-06-12 17:22:41 -07:00
parent 5a6ea33694
commit 32e6b9024c
8 changed files with 68 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/userdb.js
View File

@@ -82,13 +82,14 @@ function getOwner(callback) {
});
}
function getByResetToken(resetToken, callback) {
function getByResetToken(email, resetToken, callback) {
assert.strictEqual(typeof email, 'string');
assert.strictEqual(typeof resetToken, 'string');
assert.strictEqual(typeof callback, 'function');
if (resetToken.length === 0) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, 'Empty resetToken not allowed'));
database.query('SELECT ' + USERS_FIELDS + ' FROM users WHERE resetToken=?', [ resetToken ], function (error, result) {
database.query('SELECT ' + USERS_FIELDS + ' FROM users WHERE email=? AND resetToken=?', [ email, resetToken ], function (error, result) {
if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
if (result.length === 0) return callback(new DatabaseError(DatabaseError.NOT_FOUND));