Include password token entity ID in reset URL in order to prevent loading all tokens.

2022-01-27 08:44:12 -05:00 · 2022-01-27 08:44:12 -05:00 · 6546418052
commit 6546418052
parent 7a1a01d43e
7 changed files with 50 additions and 35 deletions
--- a/middleware/auth.go
+++ b/middleware/auth.go
@ -2,6 +2,7 @@ package middleware

 import (
 	"net/http"
+	"strconv"

 	"github.com/mikestefanello/pagoda/context"
 	"github.com/mikestefanello/pagoda/ent"
@ -48,7 +49,19 @@ func LoadValidPasswordToken(authClient *services.AuthClient) echo.MiddlewareFunc
 			}
 			usr := c.Get(context.UserKey).(*ent.User)

-			token, err := authClient.GetValidPasswordToken(c, c.Param("password_token"), usr.ID)
+			// Extract the token ID
+			tokenID, err := strconv.Atoi(c.Param("password_token"))
+			if err != nil {
+				return echo.NewHTTPError(http.StatusNotFound)
+			}
+
+			// Attempt to load a valid password token
+			token, err := authClient.GetValidPasswordToken(
+				c,
+				usr.ID,
+				tokenID,
+				c.Param("token"),
+			)

 			switch err.(type) {
 			case nil:
--- a/middleware/auth_test.go
+++ b/middleware/auth_test.go
@ -79,17 +79,17 @@ func TestLoadValidPasswordToken(t *testing.T) {
 	err := tests.ExecuteMiddleware(ctx, LoadValidPasswordToken(c.Auth))
 	tests.AssertHTTPErrorCode(t, err, http.StatusInternalServerError)

-	// Add user context but no password token and expect a redirect
-	ctx.SetParamNames("user")
-	ctx.SetParamValues(fmt.Sprintf("%d", usr.ID))
+	// Add user and password token context but no token and expect a redirect
+	ctx.SetParamNames("user", "password_token")
+	ctx.SetParamValues(fmt.Sprintf("%d", usr.ID), "1")
 	_ = tests.ExecuteMiddleware(ctx, LoadUser(c.ORM))
 	err = tests.ExecuteMiddleware(ctx, LoadValidPasswordToken(c.Auth))
 	assert.NoError(t, err)
 	assert.Equal(t, http.StatusFound, ctx.Response().Status)

 	// Add user context and invalid password token and expect a redirect
-	ctx.SetParamNames("user", "password_token")
-	ctx.SetParamValues(fmt.Sprintf("%d", usr.ID), "faketoken")
+	ctx.SetParamNames("user", "password_token", "token")
+	ctx.SetParamValues(fmt.Sprintf("%d", usr.ID), "1", "faketoken")
 	_ = tests.ExecuteMiddleware(ctx, LoadUser(c.ORM))
 	err = tests.ExecuteMiddleware(ctx, LoadValidPasswordToken(c.Auth))
 	assert.NoError(t, err)
@ -100,8 +100,8 @@ func TestLoadValidPasswordToken(t *testing.T) {
 	require.NoError(t, err)

 	// Add user and valid password token
-	ctx.SetParamNames("user", "password_token")
-	ctx.SetParamValues(fmt.Sprintf("%d", usr.ID), token)
+	ctx.SetParamNames("user", "password_token", "token")
+	ctx.SetParamValues(fmt.Sprintf("%d", usr.ID), fmt.Sprintf("%d", pt.ID), token)
 	_ = tests.ExecuteMiddleware(ctx, LoadUser(c.ORM))
 	err = tests.ExecuteMiddleware(ctx, LoadValidPasswordToken(c.Auth))
 	assert.Nil(t, err)