bug #930: added email property check, ensuring the correct response. (#…

…1066)
getodk · Jan 29, 2025 · fc940ff · fc940ff
1 parent be5d3aa
commit fc940ff
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/lib/resources/users.js b/lib/resources/users.js
@@ -56,7 +56,7 @@ module.exports = (service, endpoint) => {
 
     // TODO/SECURITY: subtle timing attack here.
     service.post('/users/reset/initiate', endpoint(({ Users, mail }, { auth, body, query }) =>
-      Users.getByEmail(body.email)
+      (!body.email ? Problem.user.missingParameter({ field: 'email' }) : Users.getByEmail(body.email)
         .then((maybeUser) => maybeUser
           .map((user) => ((isTrue(query.invalidate))
             ? auth.canOrReject('user.password.invalidate', user.actor)
@@ -71,7 +71,7 @@ module.exports = (service, endpoint) => {
               .then((existed) => ((existed === true)
                 ? mail(body.email, 'accountResetDeleted')
                 : resolve()))))
-          .then(success))));
+          .then(success)))));
 
     // TODO: some standard URL structure for RPC-style methods.
     service.post('/users/reset/verify', endpoint(({ Actors, Sessions, Users }, { body, auth }) =>

diff --git a/test/integration/api/users.js b/test/integration/api/users.js
@@ -401,6 +401,16 @@ describe('api: /users', () => {
             asAlice.post('/v1/users/reset/verify')
               .send({ new: 'coolpassword' })
               .expect(403))));
+
+        it('should fail the request if email field is sent blank in request body', testService((service) =>
+          service.login('alice', (asAlice) =>
+            asAlice.post('/v1/users/reset/initiate')
+              .send({ email: '' })
+              .expect(400)
+              .then(({ body: { code, details } }) => {
+                details.should.eql({ field: 'email' });
+                code.should.eql(400.2);
+              }))));
       });
     }
   });