From 7292cfbd022f95fdff8f6a3f937027d57c9db3bb Mon Sep 17 00:00:00 2001
From: June Kelly <june@junek.xyz>
Date: Wed, 20 Oct 2021 09:44:52 +0100
Subject: [PATCH] Merge pull request #5366 from
 overleaf/jk-move-password-reset-audit-log

[web] audit password reset before taking action

GitOrigin-RevId: 672f712658b4669a5a750dbc6f97d24ce35c332d
---
 .../src/Features/PasswordReset/PasswordResetHandler.js | 10 +++++-----
 services/web/test/acceptance/src/PasswordResetTests.js |  4 ++--
 .../src/PasswordReset/PasswordResetHandlerTests.js     |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/services/web/app/src/Features/PasswordReset/PasswordResetHandler.js b/services/web/app/src/Features/PasswordReset/PasswordResetHandler.js
index 12195ef855..e524ab04ae 100644
--- a/services/web/app/src/Features/PasswordReset/PasswordResetHandler.js
+++ b/services/web/app/src/Features/PasswordReset/PasswordResetHandler.js
@@ -93,11 +93,6 @@ async function setNewUserPassword(token, password, auditLog) {
     }
   }
 
-  const reset = await AuthenticationManager.promises.setUserPassword(
-    user,
-    password
-  )
-
   await UserAuditLogHandler.promises.addEntry(
     user._id,
     'reset-password',
@@ -105,6 +100,11 @@ async function setNewUserPassword(token, password, auditLog) {
     auditLog.ip
   )
 
+  const reset = await AuthenticationManager.promises.setUserPassword(
+    user,
+    password
+  )
+
   return { found: true, reset, userId: user._id }
 }
 
diff --git a/services/web/test/acceptance/src/PasswordResetTests.js b/services/web/test/acceptance/src/PasswordResetTests.js
index 911ca46fe0..6ed609677e 100644
--- a/services/web/test/acceptance/src/PasswordResetTests.js
+++ b/services/web/test/acceptance/src/PasswordResetTests.js
@@ -175,7 +175,7 @@ describe('PasswordReset', function () {
         expect(auditLog).to.deep.equal([])
       })
 
-      it('without a valid password should return 400 and not log the change', async function () {
+      it('without a valid password should return 400 and log the change', async function () {
         // send reset request
         response = await userHelper.request.post('/user/password/set', {
           form: {
@@ -188,7 +188,7 @@ describe('PasswordReset', function () {
         userHelper = await UserHelper.getUser({ email })
 
         const auditLog = userHelper.getAuditLogWithoutNoise()
-        expect(auditLog).to.deep.equal([])
+        expect(auditLog.length).to.equal(1)
       })
     })
   })
diff --git a/services/web/test/unit/src/PasswordReset/PasswordResetHandlerTests.js b/services/web/test/unit/src/PasswordReset/PasswordResetHandlerTests.js
index 4be10b9128..855ca30318 100644
--- a/services/web/test/unit/src/PasswordReset/PasswordResetHandlerTests.js
+++ b/services/web/test/unit/src/PasswordReset/PasswordResetHandlerTests.js
@@ -356,7 +356,7 @@ describe('PasswordResetHandler', function () {
                     this.UserAuditLogHandler.promises.addEntry.callCount
                   ).to.equal(1)
                   expect(this.AuthenticationManager.promises.setUserPassword).to
-                    .have.been.called
+                    .not.have.been.called
                   done()
                 }
               )