Merge pull request #3231 from overleaf/jpa-hide-internal-error-messages

[misc] PasswordResetController: do not expose internal error messages GitOrigin-RevId: 9eca5e7f5367559d5340363ef859589e218e817f
2024-11-21 20:47:08 -05:00 · 2020-09-28 11:51:57 +01:00 · 2020-09-28 11:51:57 +01:00 · fdcf327ae7
commit fdcf327ae7
parent 2efd33eae6
2 changed files with 13 additions and 11 deletions
--- a/services/web/app/src/Features/PasswordReset/PasswordResetController.js
+++ b/services/web/app/src/Features/PasswordReset/PasswordResetController.js
@ -5,7 +5,7 @@ const AuthenticationManager = require('../Authentication/AuthenticationManager')
 const UserGetter = require('../User/UserGetter')
 const UserUpdater = require('../User/UserUpdater')
 const UserSessionsManager = require('../User/UserSessionsManager')
-const logger = require('logger-sharelatex')
+const OError = require('@overleaf/o-error')
 const { expressify } = require('../../util/promises')

 async function setNewUserPassword(req, res, next) {
@ -73,7 +73,9 @@ module.exports = {
    }
    RateLimiter.addCount(opts, (err, canContinue) => {
      if (err != null) {
-        res.status(500).send({ message: err.message })
+        return next(
+          new OError('rate-limit password reset failed').withCause(err)
+        )
      }
      if (!canContinue) {
        return res.status(429).send({
@ -82,11 +84,10 @@ module.exports = {
      }
      PasswordResetHandler.generateAndEmailResetToken(email, (err, status) => {
        if (err != null) {
-          logger.warn(
-            { err },
-            'failed to generate and email password reset token'
-          )
-          res.status(500).send({ message: err.message })
+          OError.tag(err, 'failed to generate and email password reset token', {
+            email
+          })
+          next(err)
        } else if (status === 'primary') {
          res.status(200).send({
            message: { text: req.i18n.translate('password_reset_email_sent') }
--- a/services/web/test/unit/src/PasswordReset/PasswordResetControllerTests.js
+++ b/services/web/test/unit/src/PasswordReset/PasswordResetControllerTests.js
@ -117,11 +117,12 @@ describe('PasswordResetController', function() {
      this.RateLimiter.addCount.callsArgWith(1, null, true)
      this.PasswordResetHandler.generateAndEmailResetToken.callsArgWith(
        1,
-        'error'
+        new Error('error')
      )
-      this.PasswordResetController.requestReset(this.req, this.res)
-      this.res.statusCode.should.equal(500)
-      done()
+      this.PasswordResetController.requestReset(this.req, this.res, error => {
+        expect(error).to.exist
+        done()
+      })
    })

    it("should send a 404 if the email doesn't exist", function(done) {