mirror of
https://github.com/overleaf/overleaf.git
synced 2025-01-17 07:53:38 +00:00
0aaeb6671e
This fixes an issue where the reset token was leaked in the referrer header when navigating away from the password reset page to an external site. Now we get the token from the query string, store it in the session, then redirect to the bare url of the password reset page, which then uses the stored token to render the reset form.
50 lines
1.7 KiB
CoffeeScript
50 lines
1.7 KiB
CoffeeScript
PasswordResetHandler = require("./PasswordResetHandler")
|
|
RateLimiter = require("../../infrastructure/RateLimiter")
|
|
logger = require "logger-sharelatex"
|
|
|
|
module.exports =
|
|
|
|
renderRequestResetForm: (req, res)->
|
|
logger.log "rendering request reset form"
|
|
res.render "user/passwordReset",
|
|
title:"reset_password"
|
|
|
|
requestReset: (req, res)->
|
|
email = req.body.email.trim().toLowerCase()
|
|
opts =
|
|
endpointName: "password_reset_rate_limit"
|
|
timeInterval: 60
|
|
subjectName: req.ip
|
|
throttle: 6
|
|
RateLimiter.addCount opts, (err, canContinue)->
|
|
if !canContinue
|
|
return res.send 500, { message: req.i18n.translate("rate_limit_hit_wait")}
|
|
PasswordResetHandler.generateAndEmailResetToken email, (err, exists)->
|
|
if err?
|
|
res.send 500, {message:err?.message}
|
|
else if exists
|
|
res.sendStatus 200
|
|
else
|
|
res.send 404, {message: req.i18n.translate("cant_find_email")}
|
|
|
|
renderSetPasswordForm: (req, res)->
|
|
if req.query.passwordResetToken?
|
|
req.session.resetToken = req.query.passwordResetToken
|
|
return res.redirect('/user/password/set')
|
|
if !req.session.resetToken?
|
|
return res.redirect('/user/password/reset')
|
|
res.render "user/setPassword",
|
|
title:"set_password"
|
|
passwordResetToken: req.session.resetToken
|
|
|
|
setNewUserPassword: (req, res)->
|
|
{passwordResetToken, password} = req.body
|
|
if !password? or password.length == 0 or !passwordResetToken? or passwordResetToken.length == 0
|
|
return res.sendStatus 400
|
|
delete req.session.resetToken
|
|
PasswordResetHandler.setNewUserPassword passwordResetToken?.trim(), password?.trim(), (err, found) ->
|
|
return next(err) if err?
|
|
if found
|
|
res.sendStatus 200
|
|
else
|
|
res.send 404, {message: req.i18n.translate("password_reset_token_expired")}
|