Merge pull request #5366 from overleaf/jk-move-password-reset-audit-log

[web] audit password reset before taking action GitOrigin-RevId: 672f712658b4669a5a750dbc6f97d24ce35c332d
2024-11-21 20:47:08 -05:00 · 2021-10-20 09:44:52 +01:00 · 2021-10-20 09:44:52 +01:00 · 7292cfbd02
commit 7292cfbd02
parent c95ad5573f
3 changed files with 8 additions and 8 deletions
--- a/services/web/app/src/Features/PasswordReset/PasswordResetHandler.js
+++ b/services/web/app/src/Features/PasswordReset/PasswordResetHandler.js
@ -93,11 +93,6 @@ async function setNewUserPassword(token, password, auditLog) {
    }
  }

-  const reset = await AuthenticationManager.promises.setUserPassword(
-    user,
-    password
-  )
-
  await UserAuditLogHandler.promises.addEntry(
    user._id,
    'reset-password',
@ -105,6 +100,11 @@ async function setNewUserPassword(token, password, auditLog) {
    auditLog.ip
  )

+  const reset = await AuthenticationManager.promises.setUserPassword(
+    user,
+    password
+  )
+
  return { found: true, reset, userId: user._id }
 }

--- a/services/web/test/acceptance/src/PasswordResetTests.js
+++ b/services/web/test/acceptance/src/PasswordResetTests.js
@ -175,7 +175,7 @@ describe('PasswordReset', function () {
        expect(auditLog).to.deep.equal([])
      })

-      it('without a valid password should return 400 and not log the change', async function () {
+      it('without a valid password should return 400 and log the change', async function () {
        // send reset request
        response = await userHelper.request.post('/user/password/set', {
          form: {
@ -188,7 +188,7 @@ describe('PasswordReset', function () {
        userHelper = await UserHelper.getUser({ email })

        const auditLog = userHelper.getAuditLogWithoutNoise()
-        expect(auditLog).to.deep.equal([])
+        expect(auditLog.length).to.equal(1)
      })
    })
  })
--- a/services/web/test/unit/src/PasswordReset/PasswordResetHandlerTests.js
+++ b/services/web/test/unit/src/PasswordReset/PasswordResetHandlerTests.js
@ -356,7 +356,7 @@ describe('PasswordResetHandler', function () {
                    this.UserAuditLogHandler.promises.addEntry.callCount
                  ).to.equal(1)
                  expect(this.AuthenticationManager.promises.setUserPassword).to
-                    .have.been.called
+                    .not.have.been.called
                  done()
                }
              )