added complex password validation to password resets

2026-05-27 11:01:56 +02:00 · 2015-04-30 11:59:44 +01:00
parent 312c56a24e
commit 9764ab258b
8 changed files with 22 additions and 12 deletions
--- a/services/web/app/coffee/Features/PasswordReset/PasswordResetController.coffee
+++ b/services/web/app/coffee/Features/PasswordReset/PasswordResetController.coffee
@@ -5,6 +5,7 @@ logger = require "logger-sharelatex"
 module.exports =

 	renderRequestResetForm: (req, res)->
+		logger.log "rendering request reset form"
 		res.render "user/passwordReset", 
 			title:"reset_password"

--- a/services/web/app/coffee/Features/PasswordReset/PasswordResetHandler.coffee
+++ b/services/web/app/coffee/Features/PasswordReset/PasswordResetHandler.coffee
@@ -18,7 +18,7 @@ module.exports =
 				if err then return callback(err)
 				emailOptions =
 					to : email
-					setNewPasswordUrl : "#{settings.siteUrl}/user/password/set?passwordResetToken=#{token}"
+					setNewPasswordUrl : "#{settings.siteUrl}/user/password/set?passwordResetToken=#{token}&email=#{encodeURIComponent(email)}"
 				EmailHandler.sendEmail "passwordResetRequested", emailOptions, (error) ->
 					return callback(error) if error?
 					callback null, true
--- a/services/web/app/coffee/Features/User/UserController.coffee
+++ b/services/web/app/coffee/Features/User/UserController.coffee
@@ -101,7 +101,7 @@ module.exports =
 			PasswordResetTokenHandler.getNewToken user._id, { expiresIn: ONE_WEEK }, (err, token)->
 				return next(err) if err?
 				
-				setNewPasswordUrl = "#{settings.siteUrl}/user/password/set?passwordResetToken=#{token}"
+				setNewPasswordUrl = "#{settings.siteUrl}/user/password/set?passwordResetToken=#{token}&email=#{encodeURIComponent(email)}"

 				EmailHandler.sendEmail "registered", {
 					to: user.email
--- a/services/web/app/coffee/infrastructure/ExpressLocals.coffee
+++ b/services/web/app/coffee/infrastructure/ExpressLocals.coffee
@@ -98,6 +98,11 @@ module.exports = (app)->
 		res.locals.csrfToken = req.session._csrf
 		next()

+	app.use (req, res, next) ->
+		res.locals.getReqQueryParam = (field)->
+			return req.query?[field]
+		next()
+
 	app.use (req, res, next)-> 
 		res.locals.fingerprint = (path) ->
 			if fingerprints[path]?
--- a/services/web/app/views/user/setPassword.jade
+++ b/services/web/app/views/user/setPassword.jade
@@ -22,17 +22,16 @@ block content
 									a(href='/login') #{translate("login_here")}

 							.form-group
-								input.form-control(
+								input.form-control#passwordField(
 									type='password',
 									name='password',
 									placeholder='new password',
 									required,
 									ng-model="password",
-									autofocus
+									autofocus,
+									complex-password
 								)
-								span.small.text-primary(
-									ng-show="passwordResetForm.password.$invalid && passwordResetForm.password.$dirty"
-								) #{translate("required")}
+								span.small.text-primary(ng-show="passwordResetForm.password.$error.complexPassword", ng-bind-html="complexPasswordErrorMessage") 
 								input(
 									type="hidden",
 									name="passwordResetToken",
@@ -43,3 +42,8 @@ block content
 									type='submit',
 									ng-disabled="passwordResetForm.$invalid"
 								) #{translate("set_new_password")}
+
+
+	script(type='text/javascript').
+		window.usersEmail = "#{getReqQueryParam('email')}"
+		window.passwordStrengthOptions = !{JSON.stringify(settings.passwordStrengthOptions || {})}
--- a/services/web/public/coffee/directives/asyncForm.coffee
+++ b/services/web/public/coffee/directives/asyncForm.coffee
@@ -113,10 +113,10 @@ define [

 			ngModelCtrl.$parsers.unshift (modelValue) ->
 				isValid = passField.validatePass()
+				email = asyncFormCtrl.getEmail() || window.usersEmail
 				if !isValid
 					scope.complexPasswordErrorMessage = passField.getPassValidationMessage()
-				else if asyncFormCtrl.getEmail()?
-					email = asyncFormCtrl.getEmail()
+				else if (email? and email != "")
 					startOfEmail = email?.split("@")?[0]
 					if modelValue.indexOf(email) != -1 or modelValue.indexOf(startOfEmail) != -1
 						isValid = false
--- a/services/web/test/UnitTests/coffee/PasswordReset/PasswordResetHandlerTests.coffee
+++ b/services/web/test/UnitTests/coffee/PasswordReset/PasswordResetHandlerTests.coffee
@@ -57,7 +57,7 @@ describe "PasswordResetHandler", ->
 				exists.should.equal true
 				args = @EmailHandler.sendEmail.args[0]
 				args[0].should.equal "passwordResetRequested"
-				args[1].setNewPasswordUrl.should.equal "#{@settings.siteUrl}/user/password/set?passwordResetToken=#{@token}"
+				args[1].setNewPasswordUrl.should.equal "#{@settings.siteUrl}/user/password/set?passwordResetToken=#{@token}&email=#{encodeURIComponent(@user.email)}"
 				done()

 		it "should return exists = false for a holdingAccount", (done) ->
--- a/services/web/test/UnitTests/coffee/User/UserControllerTests.coffee
+++ b/services/web/test/UnitTests/coffee/User/UserControllerTests.coffee
@@ -200,7 +200,7 @@ describe "UserController", ->
 				@EmailHandler.sendEmail
 					.calledWith("registered", {
 						to: @user.email
-						setNewPasswordUrl: "#{@settings.siteUrl}/user/password/set?passwordResetToken=#{@token}"
+						setNewPasswordUrl: "#{@settings.siteUrl}/user/password/set?passwordResetToken=#{@token}&email=#{encodeURIComponent(@user.email)}"
 					})
 					.should.equal true
 			
@@ -208,7 +208,7 @@ describe "UserController", ->
 				@res.json
 					.calledWith({
 						email: @user.email
-						setNewPasswordUrl: "#{@settings.siteUrl}/user/password/set?passwordResetToken=#{@token}"
+						setNewPasswordUrl: "#{@settings.siteUrl}/user/password/set?passwordResetToken=#{@token}&email=#{encodeURIComponent(@user.email)}"
 					})
 					.should.equal true