Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix field name of reset password token, add verifier and set status #161

Closed
wants to merge 8 commits into from
Closed

fix field name of reset password token, add verifier and set status #161

Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
bef4fde
fix field name of reset password token, add verifier and set status
tomivm Apr 14, 2021
c83815f
delete Private info on res of /forgot and run prettier
tomivm Apr 16, 2021
e71200c
add expire time verification
tomivm Apr 16, 2021
8d03386
Merge branch 'master' into 160-fix-store-password-vulnerability
tomivm Oct 25, 2021
303212e
allow users reset password more than once
tomivm Oct 30, 2021
fa93b3e
fix test
tomivm Oct 30, 2021
4064bd2
losted requested changes
tomivm Oct 30, 2021
d50ec5e
Merge branch 'master' into 160-fix-store-password-vulnerability
martinbedouret Nov 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 3 additions & 4 deletions api/controllers/user.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -447,19 +447,18 @@ async function storePassword(req, res) {
userId: userid,
status: false,
}).exec();
if (!resetPassword) {
const expireTime = moment.utc(resetPassword.resetPasswordExpires).isBefore(moment());
tomivm marked this conversation as resolved.
Show resolved Hide resolved
tomivm marked this conversation as resolved.
Show resolved Hide resolved
if (expireTime) {
return res.status(500).json({
message: 'Expired time to reset password! ',
error: err.message,
error: 'Expired time to reset password! ',
});
}
// the token and the hashed token in the db are verified before updating the password
bcrypt.compare(
token,
resetPassword.resetPasswordToken,
function (errBcrypt, resBcrypt) {
let expireTime = moment.utc(resetPassword.expire); // expireTime and currentTime is never used
let currentTime = new Date();
if (!resBcrypt) {
return res.status(500).json({
message: 'Error resetting user password.',
Expand Down