jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Password reset does not need an email

Browse Source
This commit is contained in:
Johannes Zellner
2020-02-04 17:05:08 +01:00
parent 18bbe70364
commit 6745221e0f
5 changed files with 18 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/routes/cloudron.js
View File

@@ -98,14 +98,13 @@ function passwordResetRequest(req, res, next) {
function passwordReset(req, res, next) {
assert.strictEqual(typeof req.body, 'object');
if (typeof req.body.email !== 'string') return next(new HttpError(400, 'Missing email'));
if (typeof req.body.resetToken !== 'string') return next(new HttpError(400, 'Missing resetToken'));
if (typeof req.body.password !== 'string') return next(new HttpError(400, 'Missing password'));
debug(`passwordReset: for ${req.body.email} with token ${req.body.resetToken}`);
debug(`passwordReset: with token ${req.body.resetToken}`);
users.getByResetToken(req.body.email, req.body.resetToken, function (error, userObject) {
if (error) return next(new HttpError(401, 'Invalid email or resetToken'));
users.getByResetToken(req.body.resetToken, function (error, userObject) {
if (error) return next(new HttpError(401, 'Invalid resetToken'));
if (!userObject.username) return next(new HttpError(401, 'No username set'));