Merge pull request #1722 from sharelatex/jel-password-descriptive-message

Use descriptive error message for password reset GitOrigin-RevId: f1f0bacd6397f2068ed2abc71ee6ec54b3a51aff
2025-01-24 14:41:19 +00:00 · 2019-04-25 15:21:10 +01:00 · 2019-04-25 15:21:10 +01:00 · 9808eb7f55
commit 9808eb7f55
parent 3990a5d736
3 changed files with 7 additions and 7 deletions
--- a/services/web/app/coffee/Features/PasswordReset/PasswordResetController.coffee
+++ b/services/web/app/coffee/Features/PasswordReset/PasswordResetController.coffee
@ -27,8 +27,10 @@ module.exports =
 			PasswordResetHandler.generateAndEmailResetToken email, (err, exists)->
 				if err?
 					res.send 500, {message:err?.message}
+				else if exists
+					res.send 200, {message: {text: req.i18n.translate("password_reset_email_sent")}}
 				else
-					res.send 200, {message: {text: req.i18n.translate("if_registered_email_sent")}}
+					res.send 404, {message: req.i18n.translate("cant_find_email")}

 	renderSetPasswordForm: (req, res)->
 		if req.query.passwordResetToken?
--- a/services/web/test/acceptance/coffee/UserReconfirmTests.coffee
+++ b/services/web/test/acceptance/coffee/UserReconfirmTests.coffee
@ -26,9 +26,8 @@ describe 'User Must Reconfirm', ->
 				expect(response.statusCode).to.equal 200
 				done()

-		it 'should return a success to client for non-existent account', (done) ->
-			# we return success so that we do not leak account info
+		it 'should return a 404 to client for non-existent account', (done) ->
 			@user.reconfirmAccountRequest 'fake@overleaf.com', (err, response) =>
 				expect(err?).to.equal false
-				expect(response.statusCode).to.equal 200
+				expect(response.statusCode).to.equal 404
 				done()
--- a/services/web/test/unit/coffee/PasswordReset/PasswordResetControllerTests.coffee
+++ b/services/web/test/unit/coffee/PasswordReset/PasswordResetControllerTests.coffee
@ -80,12 +80,11 @@ describe "PasswordResetController", ->
 				done()
 			@PasswordResetController.requestReset @req, @res

-		it "should send a 200 if the email doesn't exist", (done)->
-			# we do not send a 404 so that we do not leak account info
+		it "should send a 404 if the email doesn't exist", (done)->
 			@RateLimiter.addCount.callsArgWith(1, null, true)
 			@PasswordResetHandler.generateAndEmailResetToken.callsArgWith(1, null, false)
 			@res.send = (code)=>
-				code.should.equal 200
+				code.should.equal 404
 				done()
 			@PasswordResetController.requestReset @req, @res