fix field name of reset password token, add verifier and set status

[tomivm]

this PR fixes a bug that allows changing the password of the users of Cboard only with their emails.
-Don't send the reset password token on /user/forgot response
-Use resBcrypt variable on bcrypt.compare() callback to verify if the token is correct.
-Set the status field of the document to true after changing the password. ( It's better to use this field or delete the document? )

After this merge is necesary modify test of user endpoint because the token is no more available on forgot response. PR #144

[sylvansson]

It would be great if you could add some tests directly in this PR to be sure that your changes work as intended. And to answer your question, we can keep the document in order to keep a record of the password reset.

Great work identifying this bug and fixing it 🙌

[sylvansson]

@tomivm I think I accidentally pushed to your branch and undid some of your changes. Sorry!

[sylvansson]

@tomivm I think I was able to restore your changes.

[sylvansson]

@tomivm It looks like this PR was closed automatically when I merged #166 because you referenced it with the "resolve" keyword in your other PR. I'm reopening it.

[tomivm]

I can't write Mocha test for this endpoint yet because the Token now is coming only via Email. I did some manual test and register it with images.

with out UserId and Token:

without token:

Recived mail:

Request and response using the link to change password:

Changing expired time to 5 seconds and trying to change password:

With the actual code on forgot-password is only able to forgot one Time the password. what I mean is that if I change My password one Time i cannot request change the password again. when i tried it the response is: 'ERROR: create reset password FAILED '

[martinbedouret]

@tomivm I am closing this because it is too old. Could you please check it out and apply the same fix on a new branch in case this is still applicable?