Skip to content
Snippets Groups Projects
Commit e7537aab authored by Sebastian's avatar Sebastian
Browse files

refactor token and email validation

parent 0855f358
No related branches found
No related tags found
No related merge requests found
...@@ -82,7 +82,7 @@ const Invite = app => { ...@@ -82,7 +82,7 @@ const Invite = app => {
} }
} catch (e) { } catch (e) {
if (e.name !== 'NotFoundError') { if (e.name !== 'NotFoundError') {
res.status(500).json({ error: e }) res.status(500).json({ error: e.details[0].message })
logger.error(e) logger.error(e)
return return
} }
...@@ -155,32 +155,26 @@ const Invite = app => { ...@@ -155,32 +155,26 @@ const Invite = app => {
return return
} }
try { const validateResponse = await validateEmailAndToken(
const user = await app.locals.models.User.findByEmail(email) email,
if (user) { token,
if (token !== user.passwordResetToken) { app.locals.models.User,
res.status(400).json({ error: 'invalid request' }) )
logger.error( if (validateResponse.success === false) {
`invite pw reset tokens do not match: REQ ${token} vs. DB ${ res
user.passwordResetToken .status(validateResponse.status)
}`, .json({ error: validateResponse.message })
) return
return }
}
const resBody = pick(user, [ const resBody = pick(validateResponse.user, [
'firstName', 'firstName',
'lastName', 'lastName',
'affiliation', 'affiliation',
'title', 'title',
]) ])
res.status(200).json(resBody) res.status(200).json(resBody)
}
} catch (e) {
res.status(404).json({ error: 'user not found' })
logger.error('invite pw reset on non-existing user')
}
}) })
app.post( app.post(
'/api/users/invite/password/reset', '/api/users/invite/password/reset',
...@@ -229,36 +223,27 @@ const Invite = app => { ...@@ -229,36 +223,27 @@ const Invite = app => {
isConfirmed: true, isConfirmed: true,
} }
try { const validateResponse = await validateEmailAndToken(
const user = await app.locals.models.User.findByEmail(email) email,
if (user) { token,
if (token !== user.passwordResetToken) { app.locals.models.User,
res.status(400).json({ error: 'invalid request' }) )
logger.error( if (validateResponse.success === false) {
`invite pw reset tokens do not match: REQ ${token} vs. DB ${ res
user.passwordResetToken .status(validateResponse.status)
}`, .json({ error: validateResponse.message })
) return
return }
}
let newUser = Object.assign(user, updateFields, user) let newUser = Object.assign(
delete newUser.passwordResetToken validateResponse.user,
updateFields,
validateResponse.user,
)
delete newUser.passwordResetToken
newUser = await newUser.save() newUser = await newUser.save()
res.status(200).json(newUser) res.status(200).json(newUser)
}
} catch (e) {
if (e.name === 'NotFoundError') {
res.status(404).json({ error: 'user not found' })
logger.error('invite pw reset on non-existing user')
} else if (e.name === 'ValidationError') {
res.status(400).json({ error: e.details[0].message })
logger.error('invite pw reset validation error')
}
res.status(400).json({ error: e })
logger.error(e)
}
}, },
) )
} }
...@@ -271,4 +256,47 @@ const checkForUndefinedParams = (...params) => { ...@@ -271,4 +256,47 @@ const checkForUndefinedParams = (...params) => {
return true return true
} }
const validateEmailAndToken = async (email, token, userModel) => {
try {
const user = await userModel.findByEmail(email)
if (user) {
if (token !== user.passwordResetToken) {
logger.error(
`invite pw reset tokens do not match: REQ ${token} vs. DB ${
user.passwordResetToken
}`,
)
return {
success: false,
status: 400,
message: 'invalid request',
}
}
return { success: true, user }
}
} catch (e) {
if (e.name === 'NotFoundError') {
logger.error('invite pw reset on non-existing user')
return {
success: false,
status: 404,
message: 'user not found',
}
} else if (e.name === 'ValidationError') {
logger.error('invite pw reset validation error')
return {
success: false,
status: 400,
message: e.details[0].message,
}
}
logger.error(e)
return {
success: false,
status: 500,
message: e.details[0].message,
}
}
}
module.exports = Invite module.exports = Invite
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment