Merge pull request #3231 from overleaf/jpa-hide-internal-error-messages

[misc] PasswordResetController: do not expose internal error messages

GitOrigin-RevId: 9eca5e7f5367559d5340363ef859589e218e817f
This commit is contained in:
Simon Detheridge 2020-09-28 11:51:57 +01:00 committed by Copybot
parent 2efd33eae6
commit fdcf327ae7
2 changed files with 13 additions and 11 deletions

View file

@ -5,7 +5,7 @@ const AuthenticationManager = require('../Authentication/AuthenticationManager')
const UserGetter = require('../User/UserGetter')
const UserUpdater = require('../User/UserUpdater')
const UserSessionsManager = require('../User/UserSessionsManager')
const logger = require('logger-sharelatex')
const OError = require('@overleaf/o-error')
const { expressify } = require('../../util/promises')
async function setNewUserPassword(req, res, next) {
@ -73,7 +73,9 @@ module.exports = {
}
RateLimiter.addCount(opts, (err, canContinue) => {
if (err != null) {
res.status(500).send({ message: err.message })
return next(
new OError('rate-limit password reset failed').withCause(err)
)
}
if (!canContinue) {
return res.status(429).send({
@ -82,11 +84,10 @@ module.exports = {
}
PasswordResetHandler.generateAndEmailResetToken(email, (err, status) => {
if (err != null) {
logger.warn(
{ err },
'failed to generate and email password reset token'
)
res.status(500).send({ message: err.message })
OError.tag(err, 'failed to generate and email password reset token', {
email
})
next(err)
} else if (status === 'primary') {
res.status(200).send({
message: { text: req.i18n.translate('password_reset_email_sent') }

View file

@ -117,12 +117,13 @@ describe('PasswordResetController', function() {
this.RateLimiter.addCount.callsArgWith(1, null, true)
this.PasswordResetHandler.generateAndEmailResetToken.callsArgWith(
1,
'error'
new Error('error')
)
this.PasswordResetController.requestReset(this.req, this.res)
this.res.statusCode.should.equal(500)
this.PasswordResetController.requestReset(this.req, this.res, error => {
expect(error).to.exist
done()
})
})
it("should send a 404 if the email doesn't exist", function(done) {
this.RateLimiter.addCount.callsArgWith(1, null, true)