Don't send plaintext reset passwords via email (#8457)

* start work to avoid sending reset password in plaintext via email * start checking parameters * fix new password reset email * render error if password reset code is missing or invalid * implement POST route, conversion to bcrypt and messages * add auth.local.passwordResetCode field * add failing tests, move reset code validation func to lib, fixes, remove old tests * fix unit tests * fix page rendering and add integration tests * fix password reset page * add integration test * fix string * fix tests url
2025-12-18 07:07:35 +01:00 · 2017-02-14 18:08:31 +01:00
parent c6c6632405
commit d30e7b9251
12 changed files with 690 additions and 44 deletions
--- a/website/server/models/user/schema.js
+++ b/website/server/models/user/schema.js
@@ -59,7 +59,9 @@ let schema = new Schema({
        type: String,
        enum: ['bcrypt', 'sha1'],
      },
-      salt: String, // Salt for SHA1 encrypted passwords, not stored for bcrypt
+      salt: String, // Salt for SHA1 encrypted passwords, not stored for bcrypt,
+      // Used to validate password reset codes and make sure only the most recent one can be used
+      passwordResetCode: String,
    },
    timestamps: {
      created: {type: Date, default: Date.now},