Fix password reset without a reseet token

2020-12-30 21:43:14 +01:00 · 2020-12-30 21:43:14 +01:00 · 787044628f
parent c842b70cb5
commit 787044628f
3 changed files with 12 additions and 2 deletions
--- a/pkg/user/error.go
+++ b/pkg/user/error.go
@ -157,6 +157,12 @@ func (err ErrNoPasswordResetToken) HTTPError() web.HTTPError {
 	return web.HTTPError{HTTPCode: http.StatusPreconditionFailed, Code: ErrCodeNoPasswordResetToken, Message: "No token to reset a user's password provided."}
 }

+// IsErrNoPasswordResetToken checks if an error is ErrNoPasswordResetToken
+func IsErrNoPasswordResetToken(err error) bool {
+	_, ok := err.(ErrNoPasswordResetToken)
+	return ok
+}
+
 // ErrInvalidPasswordResetToken is an error where the password reset token is invalid
 type ErrInvalidPasswordResetToken struct {
 	Token string
--- a/pkg/user/user_password_reset.go
+++ b/pkg/user/user_password_reset.go
@ -39,6 +39,10 @@ func ResetPassword(s *xorm.Session, reset *PasswordReset) (err error) {
 		return ErrNoUsernamePassword{}
 	}

+	if reset.Token == "" {
+		return ErrNoPasswordResetToken{}
+	}
+
 	// Check if we have a token
 	var user User
 	exists, err := s.
--- a/pkg/user/user_test.go
+++ b/pkg/user/user_test.go
@ -410,12 +410,12 @@ func TestUserPasswordReset(t *testing.T) {
 		defer s.Close()

 		reset := &PasswordReset{
-			Token:       "somethingsomething",
+			Token:       "",
 			NewPassword: "12345",
 		}
 		err := ResetPassword(s, reset)
 		assert.Error(t, err)
-		assert.True(t, IsErrInvalidPasswordResetToken(err))
+		assert.True(t, IsErrNoPasswordResetToken(err))
 	})
 	t.Run("wrong token", func(t *testing.T) {
 		db.LoadAndAssertFixtures(t)