-
-
Notifications
You must be signed in to change notification settings - Fork 290
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix for #99 #100
Fix for #99 #100
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please check my comment on the code and have a think on how to change the code. Also, let me know if you don't have time to make the changes as I'd like to have this fixed asap and I know how to write the code haha
server/api/UserRoute.js
Outdated
@@ -317,7 +317,7 @@ module.exports = (app) => { | |||
}) | |||
.catch((error) => { | |||
if (error.message === "404") { | |||
return res.status(404).send(error); | |||
return res.status(200).send(error); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Returning a 200 is not enough. The email can still be guessed in two ways:
- The data that is returned to the client differs. Look at
result
on line 316 anderror
on line 320 - The request will finish faster or slower depending on whether there is an error or not
So how to deal with these?
- Always return the same message. Something like
{ success: true }
will do - Respond to the request right away and don't wait for the
userController.requestPasswordReset()
promise
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for it, i understand and fixing right away
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did what you asked for but if i dont wait promises how can i return 400 in real error ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no need to return an error here because this will tell the user if the email is in the system or not. So basically, someone could try out random emails to see if they have a Chartbrew account. This is a security issue.
Returning the same message all the time will stop attackers from finding valid email addresses.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check comment
server/api/UserRoute.js
Outdated
return res.status(400).send(error); | ||
}); | ||
userController.requestPasswordReset(req.body.email) | ||
return res.status(200).send({"success": true}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Always recommended to use a code editor that supports linting highlighting. This way you can check wether your code is respecting the guidelines of the project.
In the first line, you're missing a semicolon and the second one is missing spaces around the curly brackets.
https://app.codacy.com/gh/chartbrew/chartbrew/pullRequest?bid=25774484&prid=8190654
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Saw it and fixed thank you for explanation and your patience
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! looks good
Thanks for the PR
Thank you |
Fix #99
Always return code 200 for preventing email guessing.