From 9808eb7f55aaa09c0d108976b73551d3ce09fc29 Mon Sep 17 00:00:00 2001
From: Simon Detheridge <gh2k@users.noreply.github.com>
Date: Thu, 25 Apr 2019 15:21:10 +0100
Subject: [PATCH] Merge pull request #1722 from
 sharelatex/jel-password-descriptive-message

Use descriptive error message for password reset

GitOrigin-RevId: f1f0bacd6397f2068ed2abc71ee6ec54b3a51aff
---
 .../Features/PasswordReset/PasswordResetController.coffee    | 4 +++-
 .../web/test/acceptance/coffee/UserReconfirmTests.coffee     | 5 ++---
 .../coffee/PasswordReset/PasswordResetControllerTests.coffee | 5 ++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/services/web/app/coffee/Features/PasswordReset/PasswordResetController.coffee b/services/web/app/coffee/Features/PasswordReset/PasswordResetController.coffee
index 926cd1dfb6..e438049b17 100644
--- a/services/web/app/coffee/Features/PasswordReset/PasswordResetController.coffee
+++ b/services/web/app/coffee/Features/PasswordReset/PasswordResetController.coffee
@@ -27,8 +27,10 @@ module.exports =
 			PasswordResetHandler.generateAndEmailResetToken email, (err, exists)->
 				if err?
 					res.send 500, {message:err?.message}
+				else if exists
+					res.send 200, {message: {text: req.i18n.translate("password_reset_email_sent")}}
 				else
-					res.send 200, {message: {text: req.i18n.translate("if_registered_email_sent")}}
+					res.send 404, {message: req.i18n.translate("cant_find_email")}
 
 	renderSetPasswordForm: (req, res)->
 		if req.query.passwordResetToken?
diff --git a/services/web/test/acceptance/coffee/UserReconfirmTests.coffee b/services/web/test/acceptance/coffee/UserReconfirmTests.coffee
index 3a9fb9ddbb..7a7e5b17c1 100644
--- a/services/web/test/acceptance/coffee/UserReconfirmTests.coffee
+++ b/services/web/test/acceptance/coffee/UserReconfirmTests.coffee
@@ -26,9 +26,8 @@ describe 'User Must Reconfirm', ->
 				expect(response.statusCode).to.equal 200
 				done()
 
-		it 'should return a success to client for non-existent account', (done) ->
-			# we return success so that we do not leak account info
+		it 'should return a 404 to client for non-existent account', (done) ->
 			@user.reconfirmAccountRequest 'fake@overleaf.com', (err, response) =>
 				expect(err?).to.equal false
-				expect(response.statusCode).to.equal 200
+				expect(response.statusCode).to.equal 404
 				done()
\ No newline at end of file
diff --git a/services/web/test/unit/coffee/PasswordReset/PasswordResetControllerTests.coffee b/services/web/test/unit/coffee/PasswordReset/PasswordResetControllerTests.coffee
index eb30916b80..4909bdb728 100644
--- a/services/web/test/unit/coffee/PasswordReset/PasswordResetControllerTests.coffee
+++ b/services/web/test/unit/coffee/PasswordReset/PasswordResetControllerTests.coffee
@@ -80,12 +80,11 @@ describe "PasswordResetController", ->
 				done()
 			@PasswordResetController.requestReset @req, @res
 
-		it "should send a 200 if the email doesn't exist", (done)->
-			# we do not send a 404 so that we do not leak account info
+		it "should send a 404 if the email doesn't exist", (done)->
 			@RateLimiter.addCount.callsArgWith(1, null, true)
 			@PasswordResetHandler.generateAndEmailResetToken.callsArgWith(1, null, false)
 			@res.send = (code)=>
-				code.should.equal 200
+				code.should.equal 404
 				done()
 			@PasswordResetController.requestReset @req, @res