From 145a8d8bf65efa55fd53e5a70d711ed5241aa11f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=A4fer?= Date: Sat, 15 Jun 2019 23:01:22 +0200 Subject: [PATCH] Check invalid email Sending a mail with further instructions even if the email is invalid seems to be a good practice: A potential attacker will not now if a user has an account under that email address. If a user does not remember the email address, but has control over the other mail account, she will get feedback that this mail account is incorrect. --- .../schema/resolvers/passwordReset.spec.js | 61 ++++++++++++------- 1 file changed, 39 insertions(+), 22 deletions(-) diff --git a/backend/src/schema/resolvers/passwordReset.spec.js b/backend/src/schema/resolvers/passwordReset.spec.js index 3b0d39864..4bd29c9c6 100644 --- a/backend/src/schema/resolvers/passwordReset.spec.js +++ b/backend/src/schema/resolvers/passwordReset.spec.js @@ -30,34 +30,51 @@ describe('passwordReset', () => { }) describe('requestPasswordReset', () => { - const variables = { email: 'user@example.org' } const mutation = `mutation($email: String!) { requestPasswordReset(email: $email) }` - it('resolves', async () => { - await expect(client.request(mutation, variables)).resolves.toEqual({"requestPasswordReset": true}) + describe('with invalid email', () => { + const variables = { email: 'non-existent@example.org' } + + it('resolves anyways', async () => { + await expect(client.request(mutation, variables)).resolves.toEqual({"requestPasswordReset": true}) + }) + + it('creates no node', async () => { + await client.request(mutation, variables) + const resets = await getAllPasswordResets() + expect(resets).toHaveLength(0) + }) }) - it('creates node with label `PasswordReset`', async () => { - await client.request(mutation, variables) - const resets = await getAllPasswordResets() - expect(resets).toHaveLength(1) - }) + describe('with a valid email', () => { + const variables = { email: 'user@example.org' } - it('creates an id used as a reset token', async () => { - await client.request(mutation, variables) - const [reset] = await getAllPasswordResets() - const { id: token } = reset.properties - expect(token).toMatch(/^........-....-....-....-............$/) - }) + it('resolves', async () => { + await expect(client.request(mutation, variables)).resolves.toEqual({"requestPasswordReset": true}) + }) - it('created PasswordReset is valid for less than 4 minutes', async () => { - await client.request(mutation, variables) - const [reset] = await getAllPasswordResets() - let { validUntil } = reset.properties - validUntil = Date.parse(validUntil) - const now = (new Date()).getTime() - expect(validUntil).toBeGreaterThan(now - 60*1000) - expect(validUntil).toBeLessThan(now + 4*60*1000) + it('creates node with label `PasswordReset`', async () => { + await client.request(mutation, variables) + const resets = await getAllPasswordResets() + expect(resets).toHaveLength(1) + }) + + it('creates an id used as a reset token', async () => { + await client.request(mutation, variables) + const [reset] = await getAllPasswordResets() + const { id: token } = reset.properties + expect(token).toMatch(/^........-....-....-....-............$/) + }) + + it('created PasswordReset is valid for less than 4 minutes', async () => { + await client.request(mutation, variables) + const [reset] = await getAllPasswordResets() + let { validUntil } = reset.properties + validUntil = Date.parse(validUntil) + const now = (new Date()).getTime() + expect(validUntil).toBeGreaterThan(now - 60*1000) + expect(validUntil).toBeLessThan(now + 4*60*1000) + }) }) }) })