From 09c05fba0f30ce51e0707850c1e34520a5875e6b Mon Sep 17 00:00:00 2001 From: Support9-Anaxee Date: Thu, 14 Dec 2023 15:34:41 +0530 Subject: [PATCH 1/3] bug #930: added email property check, ensuring the correct response. --- lib/resources/users.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/resources/users.js b/lib/resources/users.js index 468ff3990..45507b489 100644 --- a/lib/resources/users.js +++ b/lib/resources/users.js @@ -55,7 +55,7 @@ module.exports = (service, endpoint) => { // TODO/SECURITY: subtle timing attack here. service.post('/users/reset/initiate', endpoint(({ Users, mail }, { auth, body, query }) => - Users.getByEmail(body.email) + (!body.email ? Problem.user.propertyNotFound({ property: 'email' }) : Users.getByEmail(body.email) .then((maybeUser) => maybeUser .map((user) => ((isTrue(query.invalidate)) ? auth.canOrReject('user.password.invalidate', user.actor) @@ -70,7 +70,7 @@ module.exports = (service, endpoint) => { .then((existed) => ((existed === true) ? mail(body.email, 'accountResetDeleted') : resolve())))) - .then(success)))); + .then(success))))); // TODO: some standard URL structure for RPC-style methods. service.post('/users/reset/verify', endpoint(({ Actors, Sessions, Users }, { body, auth }) => From b0c79886b482baadf4b79e2fb8bf80a7285e2f88 Mon Sep 17 00:00:00 2001 From: dev-rahulbhadoriya Date: Wed, 20 Dec 2023 18:50:02 +0530 Subject: [PATCH 2/3] bug #930: changed propertyNotFound to missingParameter, also added test case. --- lib/resources/users.js | 2 +- test/integration/api/users.js | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/resources/users.js b/lib/resources/users.js index 45507b489..2d853f101 100644 --- a/lib/resources/users.js +++ b/lib/resources/users.js @@ -55,7 +55,7 @@ module.exports = (service, endpoint) => { // TODO/SECURITY: subtle timing attack here. service.post('/users/reset/initiate', endpoint(({ Users, mail }, { auth, body, query }) => - (!body.email ? Problem.user.propertyNotFound({ property: 'email' }) : Users.getByEmail(body.email) + (!body.email ? Problem.user.missingParameter({ field: 'email' }) : Users.getByEmail(body.email) .then((maybeUser) => maybeUser .map((user) => ((isTrue(query.invalidate)) ? auth.canOrReject('user.password.invalidate', user.actor) diff --git a/test/integration/api/users.js b/test/integration/api/users.js index 08857f538..e030a5094 100644 --- a/test/integration/api/users.js +++ b/test/integration/api/users.js @@ -402,6 +402,12 @@ describe('api: /users', () => { asAlice.post('/v1/users/reset/verify') .send({ new: 'coolpassword' }) .expect(403)))); + + it('should fail the request if email field is sent blank in request body', testService((service) => + service.login('alice', (asAlice) => + asAlice.post('/v1/users/reset/initiate') + .send({ email: '' }) + .expect(400)))); }); } }); From 3fc9e69b1a95fcadf57d0caf35fe11226a91a925 Mon Sep 17 00:00:00 2001 From: dev-rahulbhadoriya Date: Fri, 22 Dec 2023 12:36:05 +0530 Subject: [PATCH 3/3] added assertions about the response body --- test/integration/api/users.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/test/integration/api/users.js b/test/integration/api/users.js index e030a5094..5fb4d5c99 100644 --- a/test/integration/api/users.js +++ b/test/integration/api/users.js @@ -407,7 +407,11 @@ describe('api: /users', () => { service.login('alice', (asAlice) => asAlice.post('/v1/users/reset/initiate') .send({ email: '' }) - .expect(400)))); + .expect(400) + .then(({ body: { code, details } }) => { + details.should.eql({ field: 'email' }); + code.should.eql(400.2); + })))); }); } });