Merge pull request #3824 from overleaf/jpa-password-reset-email-forwarding

[misc] fix passing around of users email as part of password reset GitOrigin-RevId: 54e8cde9867a2ce735bc7ebe281ead19ef49e6cd
2026-05-23 17:19:37 +02:00 · 2021-03-31 11:35:29 +02:00
parent 8f30b699b0
commit d65db1acf0
4 changed files with 81 additions and 12 deletions
--- a/services/web/app/src/Features/PasswordReset/PasswordResetController.js
+++ b/services/web/app/src/Features/PasswordReset/PasswordResetController.js
@@ -5,6 +5,7 @@ const UserGetter = require('../User/UserGetter')
 const UserUpdater = require('../User/UserUpdater')
 const UserSessionsManager = require('../User/UserSessionsManager')
 const OError = require('@overleaf/o-error')
+const EmailsHelper = require('../Helpers/EmailHelper')
 const { expressify } = require('../../util/promises')

 async function setNewUserPassword(req, res, next) {
@@ -104,7 +105,14 @@ module.exports = {
  renderSetPasswordForm(req, res) {
    if (req.query.passwordResetToken != null) {
      req.session.resetToken = req.query.passwordResetToken
-      return res.redirect('/user/password/set')
+      let emailQuery = ''
+      if (typeof req.query.email === 'string') {
+        const email = EmailsHelper.parseEmail(req.query.email)
+        if (email) {
+          emailQuery = `?email=${encodeURIComponent(email)}`
+        }
+      }
+      return res.redirect('/user/password/set' + emailQuery)
    }
    if (req.session.resetToken == null) {
      return res.redirect('/user/password/reset')
--- a/services/web/app/views/user/setPassword.pug
+++ b/services/web/app/views/user/setPassword.pug
@@ -1,5 +1,8 @@
 extends ../layout

+block append meta
+	meta(name="ol-passwordStrengthOptions" data-type="json" content=settings.passwordStrengthOptions)
+
 block content
 	main.content.content-alt
 		.container
@@ -18,6 +21,7 @@ block content
 							input(type="hidden", name="_csrf", value=csrfToken)
 							.alert.alert-success(ng-show="passwordResetForm.response.success")
 								| #{translate("password_has_been_reset")}.
+								br
 								a(href='/login') #{translate("login_here")}
 							div(ng-show="passwordResetForm.response.error == true")
 								div(ng-switch="passwordResetForm.response.status")
@@ -54,8 +58,3 @@ block content
 									type='submit',
 									ng-disabled="passwordResetForm.$invalid"
 								) #{translate("set_new_password")}
-
-
-	script(type="text/javascript", nonce=scriptNonce).
-		window.usersEmail = "#{getReqQueryParam('email')}"
-		window.passwordStrengthOptions = !{StringHelper.stringifyJsonForScript(settings.passwordStrengthOptions || {})}
--- a/services/web/test/acceptance/src/PasswordResetTests.js
+++ b/services/web/test/acceptance/src/PasswordResetTests.js
@@ -4,7 +4,7 @@ const UserHelper = require('./helpers/UserHelper')
 const { db } = require('../../../app/src/infrastructure/mongodb')

 describe('PasswordReset', function() {
-  let email, response, user, userHelper, token
+  let email, response, user, userHelper, token, emailQuery
  afterEach(async function() {
    await RateLimiter.promises.clearRateLimit(
      'password_reset_rate_limit',
@@ -14,6 +14,7 @@ describe('PasswordReset', function() {
  beforeEach(async function() {
    userHelper = new UserHelper()
    email = userHelper.getDefaultEmail()
+    emailQuery = `?email=${encodeURIComponent(email)}`
    userHelper = await UserHelper.createUser({ email })
    user = userHelper.user

@@ -43,7 +44,9 @@ describe('PasswordReset', function() {
          { simple: false }
        )
        expect(response.statusCode).to.equal(302)
-        expect(response.headers.location).to.equal('/user/password/set')
+        expect(response.headers.location).to.equal(
+          `/user/password/set${emailQuery}`
+        )
        // send reset request
        response = await userHelper.request.post('/user/password/set', {
          form: {
@@ -84,7 +87,9 @@ describe('PasswordReset', function() {
          { simple: false }
        )
        expect(response.statusCode).to.equal(302)
-        expect(response.headers.location).to.equal('/user/password/set')
+        expect(response.headers.location).to.equal(
+          `/user/password/set${emailQuery}`
+        )
        // send reset request
        response = await userHelper.request.post('/user/password/set', {
          form: {
@@ -117,7 +122,9 @@ describe('PasswordReset', function() {
          { simple: false }
        )
        expect(response.statusCode).to.equal(302)
-        expect(response.headers.location).to.equal('/user/password/set')
+        expect(response.headers.location).to.equal(
+          `/user/password/set${emailQuery}`
+        )
        // send reset request
        response = await userHelper.request.post('/user/password/set', {
          form: {
@@ -149,7 +156,9 @@ describe('PasswordReset', function() {
          { simple: false }
        )
        expect(response.statusCode).to.equal(302)
-        expect(response.headers.location).to.equal('/user/password/set')
+        expect(response.headers.location).to.equal(
+          `/user/password/set${emailQuery}`
+        )
      })
      it('without a password should return 400 and not log the change', async function() {
        // send reset request
@@ -199,7 +208,9 @@ describe('PasswordReset', function() {
        { simple: false }
      )
      expect(response.statusCode).to.equal(302)
-      expect(response.headers.location).to.equal('/user/password/set')
+      expect(response.headers.location).to.equal(
+        `/user/password/set${emailQuery}`
+      )
      // send reset request
      response = await userHelper.request.post('/user/password/set', {
        form: {
--- a/services/web/test/unit/src/PasswordReset/PasswordResetControllerTests.js
+++ b/services/web/test/unit/src/PasswordReset/PasswordResetControllerTests.js
@@ -353,6 +353,57 @@ describe('PasswordResetController', function() {
      })
    })

+    describe('with token and email in query-string', function() {
+      beforeEach(function() {
+        this.req.query.passwordResetToken = this.token
+        this.req.query.email = 'foo@bar.com'
+      })
+
+      it('should set session.resetToken and redirect with email', function(done) {
+        this.req.session.should.not.have.property('resetToken')
+        this.res.redirect = path => {
+          path.should.equal('/user/password/set?email=foo%40bar.com')
+          this.req.session.resetToken.should.equal(this.token)
+          done()
+        }
+        this.PasswordResetController.renderSetPasswordForm(this.req, this.res)
+      })
+    })
+
+    describe('with token and invalid email in query-string', function() {
+      beforeEach(function() {
+        this.req.query.passwordResetToken = this.token
+        this.req.query.email = 'not-an-email'
+      })
+
+      it('should set session.resetToken and redirect without email', function(done) {
+        this.req.session.should.not.have.property('resetToken')
+        this.res.redirect = path => {
+          path.should.equal('/user/password/set')
+          this.req.session.resetToken.should.equal(this.token)
+          done()
+        }
+        this.PasswordResetController.renderSetPasswordForm(this.req, this.res)
+      })
+    })
+
+    describe('with token and non-string email in query-string', function() {
+      beforeEach(function() {
+        this.req.query.passwordResetToken = this.token
+        this.req.query.email = { foo: 'bar' }
+      })
+
+      it('should set session.resetToken and redirect without email', function(done) {
+        this.req.session.should.not.have.property('resetToken')
+        this.res.redirect = path => {
+          path.should.equal('/user/password/set')
+          this.req.session.resetToken.should.equal(this.token)
+          done()
+        }
+        this.PasswordResetController.renderSetPasswordForm(this.req, this.res)
+      })
+    })
+
    describe('without a token in query-string', function() {
      describe('with token in session', function() {
        beforeEach(function() {