Migrate renderSetPasswordForm to zod

GitOrigin-RevId: ddb6f06c6dc838ecee5c4bd31824f9e1c92c2cfe
2026-05-31 04:41:32 +02:00 · 2025-07-03 17:52:19 -04:00
parent b3c82daf4b
commit 378df8d7e5
2 changed files with 15 additions and 12 deletions
--- a/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs
+++ b/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs
@@ -155,23 +155,32 @@ async function requestReset(req, res, next) {
  }
 }

+const renderSetPasswordFormSchema = z.object({
+  query: z.object({
+    email: z.string(),
+    passwordResetToken: z.string().optional(),
+  }),
+})
+
 async function renderSetPasswordForm(req, res, next) {
-  if (req.query.passwordResetToken != null) {
+  const { query } = validateReq(req, renderSetPasswordFormSchema)
+
+  if (query.passwordResetToken != null) {
    try {
      const result =
        await PasswordResetHandler.promises.getUserForPasswordResetToken(
-          req.query.passwordResetToken
+          query.passwordResetToken
        )

      const { user, remainingPeeks } = result || {}
      if (!user || remainingPeeks <= 0) {
        return res.redirect('/user/password/reset?error=token_expired')
      }
-      req.session.resetToken = req.query.passwordResetToken
+      req.session.resetToken = query.passwordResetToken
      let emailQuery = ''

-      if (typeof req.query.email === 'string') {
-        const email = EmailsHelper.parseEmail(req.query.email)
+      if (typeof query.email === 'string') {
+        const email = EmailsHelper.parseEmail(query.email)
        if (email) {
          emailQuery = `?email=${encodeURIComponent(email)}`
        }
@@ -190,7 +199,7 @@ async function renderSetPasswordForm(req, res, next) {
    return res.redirect('/user/password/reset')
  }

-  const email = EmailsHelper.parseEmail(req.query.email)
+  const email = EmailsHelper.parseEmail(query.email)

  // clean up to avoid leaking the token in the session object
  const passwordResetToken = req.session.resetToken
--- a/services/web/app/src/Features/PasswordReset/PasswordResetRouter.mjs
+++ b/services/web/app/src/Features/PasswordReset/PasswordResetRouter.mjs
@@ -30,12 +30,6 @@ export default {

    webRouter.get(
      '/user/password/set',
-      validate({
-        query: {
-          email: Joi.string().required(),
-          passwordResetToken: Joi.string(),
-        },
-      }),
      rateLimit,
      PasswordResetController.renderSetPasswordForm
    )