jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add email query param to reset code path

Browse Source 
This reduces any attack surface
This commit is contained in:
Girish Ramakrishnan
2018-06-12 17:22:41 -07:00
parent 5a6ea33694
commit 32e6b9024c
8 changed files with 68 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/users.js
View File

@@ -337,14 +337,18 @@ function get(userId, callback) {
});
}
function getByResetToken(resetToken, callback) {
function getByResetToken(email, resetToken, callback) {
assert.strictEqual(typeof email, 'string');
assert.strictEqual(typeof resetToken, 'string');
assert.strictEqual(typeof callback, 'function');
var error = validateToken(resetToken);
var error = validateEmail(email);
if (error) return callback(error);
userdb.getByResetToken(resetToken, function (error, result) {
error = validateToken(resetToken);
if (error) return callback(error);
userdb.getByResetToken(email, resetToken, function (error, result) {
if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new UsersError(UsersError.NOT_FOUND));
if (error) return callback(new UsersError(UsersError.INTERNAL_ERROR, error));