fix(password): deleting password resets on password reset

AEGEE · Mar 26, 2020 · 9ec7971 · 9ec7971
1 parent 5ad07f7
commit 9ec7971
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 2 deletions.
diff --git a/middlewares/login.js b/middlewares/login.js
@@ -67,6 +67,7 @@ module.exports.passwordReset = async (req, res) => {
         return errors.makeNotFoundError(res, 'User is not found.');
     }
 
+    await PasswordReset.destroy({ where: { user_id: user.id } });
     await PasswordReset.createForUser(user.id);
 
     // TODO: send a password reset to user.

diff --git a/middlewares/permissions.js b/middlewares/permissions.js
@@ -4,7 +4,6 @@ const errors = require('../lib/errors');
 const constants = require('../lib/constants');
 
 exports.listAllPermissions = async (req, res) => {
-    // TODO: add filtering
     const result = await Permission.findAndCountAll({
         where: helpers.filterBy(req.query.query, constants.FIELDS_TO_QUERY.PERMISSION),
         ...helpers.getPagination(req.query),
@@ -42,7 +41,6 @@ exports.updatePermission = async (req, res) => {
         return errors.makeForbiddenError(res, 'Permission global:update:permission is required, but not present.');
     }
 
-    // TODO: filter out fields that are changed in the other way
     await req.currentPermission.update(req.body);
     return res.json({
         success: true,

diff --git a/test/api/password-reset.test.js b/test/api/password-reset.test.js
@@ -78,4 +78,24 @@ describe('Password reset', () => {
         const resets = await PasswordReset.count({ where: { user_id: user.id } });
         expect(resets).not.toEqual(0);
     });
+
+    test('should remove all other password resets', async () => {
+        const user = await generator.createUser();
+        const existingReset = await generator.createPasswordReset({}, user);
+
+        const res = await request({
+            uri: '/password_reset',
+            method: 'POST',
+            body: { email: user.email }
+        });
+
+        expect(res.statusCode).toEqual(200);
+        expect(res.body.success).toEqual(true);
+        expect(res.body).not.toHaveProperty('errors');
+        expect(res.body).toHaveProperty('message');
+
+        const resets = await PasswordReset.findAll({ where: { user_id: user.id } });
+        expect(resets.length).toEqual(1);
+        expect(resets[0].id).not.toEqual(existingReset.id);
+    });
 });
diff --git a/test/scripts/generator.js b/test/scripts/generator.js
@@ -6,6 +6,7 @@ const {
     MailConfirmation,
     AccessToken,
     RefreshToken,
+    PasswordReset,
     Body,
     Circle,
     Permission,
@@ -125,6 +126,18 @@ exports.createAccessToken = (options = {}, user = null) => {
     return AccessToken.create(exports.generateAccessToken(options, user));
 };
 
+exports.generatePasswordReset = (options = {}, user) => {
+    if (notSet(options.value)) options.value = faker.random.alphaNumeric(16);
+    if (notSet(options.expires_at)) options.expires_at = faker.date.future();
+    if (user) options.user_id = user.id;
+
+    return options;
+};
+
+exports.createPasswordReset = (options = {}, user = null) => {
+    return PasswordReset.create(exports.generatePasswordReset(options, user));
+};
+
 exports.createCircleMembership = (circle, user) => {
     return CircleMembership.create({
         circle_id: circle.id,