Use user ID in password reset route in order to properly compare token hashes.

2021-12-16 19:49:33 -05:00 · 2021-12-16 19:49:33 -05:00 · b383be5dac
commit b383be5dac
parent e6a5fa58c7
6 changed files with 40 additions and 24 deletions
--- a/routes/forgot_password.go
+++ b/routes/forgot_password.go
@ -66,7 +66,7 @@ func (f *ForgotPassword) Post(c echo.Context) error {
 	u, err := f.Container.ORM.User.
 		Query().
 		Where(user.Email(form.Email)).
-		First(c.Request().Context())
+		Only(c.Request().Context())

 	if err != nil {
 		switch err.(type) {
--- a/routes/login.go
+++ b/routes/login.go
@ -61,7 +61,7 @@ func (l *Login) Post(c echo.Context) error {
 	u, err := l.Container.ORM.User.
 		Query().
 		Where(user.Email(form.Email)).
-		First(c.Request().Context())
+		Only(c.Request().Context())

 	if err != nil {
 		switch err.(type) {
--- a/routes/register.go
+++ b/routes/register.go
@ -42,6 +42,8 @@ func (r *Register) Post(c echo.Context) error {
 		return r.Get(c)
 	}

+	// TODO: Validation for dupe email addresses
+
 	// Parse the form values
 	form := new(RegisterForm)
 	if err := c.Bind(form); err != nil {
--- a/routes/router.go
+++ b/routes/router.go
@ -106,6 +106,6 @@ func userRoutes(c *container.Container, g *echo.Group, ctr controller.Controller

 	resetGroup := noAuth.Group("/password/reset", middleware.LoadValidPasswordToken(c.Auth))
 	reset := ResetPassword{Controller: ctr}
-	resetGroup.GET("/token/:password_token", reset.Get).Name = "reset_password"
-	resetGroup.POST("/token/:password_token", reset.Post).Name = "reset_password.post"
+	resetGroup.GET("/token/:user/:password_token", reset.Get).Name = "reset_password"
+	resetGroup.POST("/token/:user/:password_token", reset.Post).Name = "reset_password.post"
 }