Fix password reset flow

2021-03-20 17:17:34 +01:00 · 2021-03-20 17:17:34 +01:00 · 4ffe124f98
commit 4ffe124f98
parent b63fdabf55
3 changed files with 18 additions and 11 deletions
--- a/auth/handlers/handle_password-reset.go
+++ b/auth/handlers/handle_password-reset.go
@ -4,6 +4,7 @@ import (
 	"github.com/cortezaproject/corteza-server/auth/request"
 	"github.com/cortezaproject/corteza-server/pkg/errors"
 	"github.com/cortezaproject/corteza-server/system/service"
+	"github.com/cortezaproject/corteza-server/system/types"
 	"go.uber.org/zap"
 )

@ -46,11 +47,16 @@ func (h *AuthHandlers) resetPasswordForm(req *request.AuthReq) (err error) {

 	req.Template = TmplResetPassword

-	if req.AuthUser.User == nil {
+	if req.AuthUser == nil {
 		// user not set, expecting valid token in URL
 		if token := req.Request.URL.Query().Get("token"); len(token) > 0 {
-			req.AuthUser.User, err = h.AuthService.ValidatePasswordResetToken(req.Context(), token)
+			var user *types.User
+
+			user, err = h.AuthService.ValidatePasswordResetToken(req.Context(), token)
 			if err == nil {
+				// login user
+				req.AuthUser = request.NewAuthUser(h.Settings, user, false, h.Opt.SessionLifetime)
+
 				// redirect back to self (but without token and with user in session
 				h.Log.Debug("valid password reset token found, refreshing page with stored user")
 				req.RedirectTo = GetLinks().ResetPassword
--- a/auth/handlers/handle_password-reset_test.go
+++ b/auth/handlers/handle_password-reset_test.go
@ -47,9 +47,7 @@ func Test_requestPasswordResetForm(t *testing.T) {

 func Test_resetPasswordForm(t *testing.T) {
 	var (
-		ctx  = context.Background()
-		user = makeMockUser(ctx)
-
+		ctx = context.Background()
 		req = &http.Request{
 			URL: &url.URL{},
 		}
@ -109,11 +107,11 @@ func Test_resetPasswordForm(t *testing.T) {

 			tc.fn()

-			authReq = prepareClientAuthReq(ctx, req, user)
+			authReq = prepareClientAuthReq(ctx, req, nil)
 			authHandlers = prepareClientAuthHandlers(ctx, authService, authSettings)

 			// unset so we get to the main functionality
-			authReq.AuthUser.User = nil
+			authReq.AuthUser = nil

 			err := authHandlers.resetPasswordForm(authReq)

--- a/auth/handlers/mock_test.go
+++ b/auth/handlers/mock_test.go
@ -317,8 +317,6 @@ func prepareClientAuthReq(ctx context.Context, req *http.Request, user *types.Us
 	s.MultiFactor.EmailOTP.Enforced = true
 	s.MultiFactor.TOTP.Enabled = true

-	authUser := request.NewAuthUser(s, user, true, time.Duration(time.Hour))
-
 	session := sessions.NewSession(&mockSession{
 		save: func(r *http.Request, w http.ResponseWriter, s *sessions.Session) error {
 			s.Values = make(map[interface{}]interface{})
@ -326,13 +324,18 @@ func prepareClientAuthReq(ctx context.Context, req *http.Request, user *types.Us
 		},
 	}, "session")

-	return &request.AuthReq{
+	authReq := &request.AuthReq{
 		Request:  req,
-		AuthUser: authUser,
 		Session:  session,
 		Response: httptest.NewRecorder(),
 		Data:     make(map[string]interface{}),
 	}
+
+	if user != nil {
+		authReq.AuthUser = request.NewAuthUser(s, user, true, time.Duration(time.Hour))
+	}
+
+	return authReq
 }

 func prepareClientAuthService(ctx context.Context, user *types.User) *mockAuthService {