Merge pull request #3595 from overleaf/ae-password-reset-request-validation

Add request validation to the password reset endpoints GitOrigin-RevId: 104444d0ebfea2b3d66285a8433e49c1134076b8
2025-04-22 18:58:02 +00:00 · 2021-02-03 07:37:16 -05:00 · 2021-02-03 07:37:16 -05:00 · 309163d444
commit 309163d444
parent 6d2a041b1c
2 changed files with 76 additions and 2 deletions
--- a/services/web/app/src/Features/PasswordReset/PasswordResetRouter.js
+++ b/services/web/app/src/Features/PasswordReset/PasswordResetRouter.js
@ -1,5 +1,6 @@
 const PasswordResetController = require('./PasswordResetController')
 const AuthenticationController = require('../Authentication/AuthenticationController')
+const { Joi, validate } = require('../../infrastructure/Validation')

 module.exports = {
  apply(webRouter, apiRouter) {
@ -7,7 +8,15 @@ module.exports = {
      '/user/password/reset',
      PasswordResetController.renderRequestResetForm
    )
-    webRouter.post('/user/password/reset', PasswordResetController.requestReset)
+    webRouter.post(
+      '/user/password/reset',
+      validate({
+        body: Joi.object({
+          email: Joi.string().required()
+        })
+      }),
+      PasswordResetController.requestReset
+    )
    AuthenticationController.addEndpointToLoginWhitelist('/user/password/reset')

    webRouter.get(
@ -16,10 +25,24 @@ module.exports = {
    )
    webRouter.post(
      '/user/password/set',
+      validate({
+        body: Joi.object({
+          password: Joi.string().required(),
+          passwordResetToken: Joi.string().required()
+        })
+      }),
      PasswordResetController.setNewUserPassword
    )
    AuthenticationController.addEndpointToLoginWhitelist('/user/password/set')

-    webRouter.post('/user/reconfirm', PasswordResetController.requestReset)
+    webRouter.post(
+      '/user/reconfirm',
+      validate({
+        body: Joi.object({
+          email: Joi.string().required()
+        })
+      }),
+      PasswordResetController.requestReset
+    )
  }
 }
--- a/services/web/test/acceptance/src/PasswordResetTests.js
+++ b/services/web/test/acceptance/src/PasswordResetTests.js
@ -206,4 +206,55 @@ describe('PasswordReset', function() {
      expect(response.statusCode).to.equal(404)
    })
  })
+  describe('password reset', function() {
+    it('should return 200 if email field is valid', async function() {
+      response = await userHelper.request.post(`/user/password/reset`, {
+        form: {
+          email
+        }
+      })
+      expect(response.statusCode).to.equal(200)
+    })
+
+    it('should return 400 if email field is missing', async function() {
+      response = await userHelper.request.post(`/user/password/reset`, {
+        form: {
+          mail: email
+        },
+        simple: false
+      })
+      expect(response.statusCode).to.equal(400)
+    })
+  })
+  describe('password set', function() {
+    it('should return 200 if password and passwordResetToken fields are valid', async function() {
+      response = await userHelper.request.post(`/user/password/set`, {
+        form: {
+          password: 'new-password',
+          passwordResetToken: token
+        }
+      })
+      expect(response.statusCode).to.equal(200)
+    })
+
+    it('should return 400 if password field is missing', async function() {
+      response = await userHelper.request.post(`/user/password/set`, {
+        form: {
+          passwordResetToken: token
+        },
+        simple: false
+      })
+      expect(response.statusCode).to.equal(400)
+    })
+
+    it('should return 400 if passwordResetToken field is missing', async function() {
+      response = await userHelper.request.post(`/user/password/set`, {
+        form: {
+          password: 'new-password'
+        },
+        simple: false
+      })
+      expect(response.statusCode).to.equal(400)
+    })
+  })
 })