From a446d50f840237d1f9578c0d29fc06f6b3662f50 Mon Sep 17 00:00:00 2001 From: christopherbrookes Date: Fri, 13 Dec 2019 01:38:05 +0100 Subject: [PATCH 1/2] Add missing encodeURIComponent on username --- src/Routers/PublicAPIRouter.js | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/Routers/PublicAPIRouter.js b/src/Routers/PublicAPIRouter.js index efa0ea5852..f30c52892f 100644 --- a/src/Routers/PublicAPIRouter.js +++ b/src/Routers/PublicAPIRouter.js @@ -212,13 +212,14 @@ export class PublicAPIRouter extends PromiseRouter { } } + const encodedUsername = encodeURIComponent(username); + const location = result.success + ? `${config.passwordResetSuccessURL}?username=${encodedUsername}` + : `${config.choosePasswordURL}?${params}`; + return Promise.resolve({ status: 302, - location: `${ - result.success - ? `${config.passwordResetSuccessURL}?username=${username}` - : `${config.choosePasswordURL}?${params}` - }`, + location, }); }); } From 3e491abcbf3e560d527a6dbd72296426d50dd300 Mon Sep 17 00:00:00 2001 From: christopherbrookes Date: Mon, 16 Dec 2019 22:33:18 +0100 Subject: [PATCH 2/2] Add new unit test on encoded username password reset redirect --- spec/ValidationAndPasswordsReset.spec.js | 61 +++++++++++++++++++++++- 1 file changed, 60 insertions(+), 1 deletion(-) diff --git a/spec/ValidationAndPasswordsReset.spec.js b/spec/ValidationAndPasswordsReset.spec.js index 0e9db70a4f..8be07b3fa5 100644 --- a/spec/ValidationAndPasswordsReset.spec.js +++ b/spec/ValidationAndPasswordsReset.spec.js @@ -463,7 +463,7 @@ describe('Custom Pages, Email Verification, Password Reset', () => { }); }); - it('succeeds sending a password reset email if appName, publicServerURL, and email adapter are prodvided', done => { + it('succeeds sending a password reset email if appName, publicServerURL, and email adapter are provided', done => { reconfigureServer({ appName: 'coolapp', publicServerURL: 'http://localhost:1337/1', @@ -910,6 +910,65 @@ describe('Custom Pages, Email Verification, Password Reset', () => { }); }); + it('should redirect with username encoded on success page', done => { + const user = new Parse.User(); + const emailAdapter = { + sendVerificationEmail: () => Promise.resolve(), + sendPasswordResetEmail: options => { + request({ + url: options.link, + followRedirects: false, + }).then(response => { + expect(response.status).toEqual(302); + const re = /http:\/\/localhost:8378\/1\/apps\/choose_password\?token=([a-zA-Z0-9]+)\&id=test\&username=zxcv%2B1/; + const match = response.text.match(re); + if (!match) { + fail('should have a token'); + done(); + return; + } + const token = match[1]; + + request({ + url: 'http://localhost:8378/1/apps/test/request_password_reset', + method: 'POST', + body: { new_password: 'hello', token, username: 'zxcv+1' }, + headers: { + 'Content-Type': 'application/x-www-form-urlencoded', + }, + followRedirects: false, + }).then(response => { + expect(response.status).toEqual(302); + expect(response.text).toEqual( + 'Found. Redirecting to http://localhost:8378/1/apps/password_reset_success.html?username=zxcv%2B1' + ); + done(); + }); + }); + }, + sendMail: () => {}, + }; + reconfigureServer({ + appName: 'emailing app', + verifyUserEmails: true, + emailAdapter: emailAdapter, + publicServerURL: 'http://localhost:8378/1', + }).then(() => { + user.setPassword('asdf'); + user.setUsername('zxcv+1'); + user.set('email', 'user@parse.com'); + user.signUp().then(() => { + Parse.User.requestPasswordReset('user@parse.com', { + error: err => { + jfail(err); + fail('Should not fail'); + done(); + }, + }); + }); + }); + }); + it('should programmatically reset password on ajax request', async done => { const user = new Parse.User(); const emailAdapter = {