Check invalid email

Sending a mail with further instructions even if the email is invalid seems to be a good practice: A potential attacker will not now if a user has an account under that email address. If a user does not remember the email address, but has control over the other mail account, she will get feedback that this mail account is incorrect.
2025-12-13 07:45:56 +00:00 · 2019-06-15 23:01:22 +02:00 · 2019-06-15 23:01:22 +02:00 · 145a8d8bf6
commit 145a8d8bf6
parent c7ee0c8121
1 changed files with 39 additions and 22 deletions
--- a/backend/src/schema/resolvers/passwordReset.spec.js
+++ b/backend/src/schema/resolvers/passwordReset.spec.js
@ -30,34 +30,51 @@ describe('passwordReset', () => {
  })
  describe('requestPasswordReset', () => {
    const variables = { email: 'user@example.org' }
    const mutation = `mutation($email: String!) { requestPasswordReset(email: $email) }`
-    it('resolves', async () => {
+    describe('with invalid email', () => {
-      await expect(client.request(mutation, variables)).resolves.toEqual({"requestPasswordReset": true})
+      const variables = { email: 'non-existent@example.org' }
      it('resolves anyways', async () => {
        await expect(client.request(mutation, variables)).resolves.toEqual({"requestPasswordReset": true})
      })
      it('creates no node', async () => {
        await client.request(mutation, variables)
        const resets = await getAllPasswordResets()
        expect(resets).toHaveLength(0)
      })
    })
-    it('creates node with label `PasswordReset`', async () => {
+    describe('with a valid email', () => {
-      await client.request(mutation, variables)
+      const variables = { email: 'user@example.org' }
      const resets = await getAllPasswordResets()
      expect(resets).toHaveLength(1)
    })
-    it('creates an id used as a reset token', async () => {
+      it('resolves', async () => {
-      await client.request(mutation, variables)
+        await expect(client.request(mutation, variables)).resolves.toEqual({"requestPasswordReset": true})
-      const [reset] = await getAllPasswordResets()
+      })
      const { id: token } = reset.properties
      expect(token).toMatch(/^........-....-....-....-............$/)
    })
-    it('created PasswordReset is valid for less than 4 minutes', async () => {
+      it('creates node with label `PasswordReset`', async () => {
-      await client.request(mutation, variables)
+        await client.request(mutation, variables)
-      const [reset] = await getAllPasswordResets()
+        const resets = await getAllPasswordResets()
-      let { validUntil } = reset.properties
+        expect(resets).toHaveLength(1)
-      validUntil = Date.parse(validUntil)
+      })
-      const now = (new Date()).getTime()
+
-      expect(validUntil).toBeGreaterThan(now - 60*1000)
+      it('creates an id used as a reset token', async () => {
-      expect(validUntil).toBeLessThan(now + 4*60*1000)
+        await client.request(mutation, variables)
        const [reset] = await getAllPasswordResets()
        const { id: token } = reset.properties
        expect(token).toMatch(/^........-....-....-....-............$/)
      })
      it('created PasswordReset is valid for less than 4 minutes', async () => {
        await client.request(mutation, variables)
        const [reset] = await getAllPasswordResets()
        let { validUntil } = reset.properties
        validUntil = Date.parse(validUntil)
        const now = (new Date()).getTime()
        expect(validUntil).toBeGreaterThan(now - 60*1000)
        expect(validUntil).toBeLessThan(now + 4*60*1000)
      })
    })
  })
 })