Fix for #99

[gkydev]

Fix #99

Always return code 200 for preventing email guessing.

[razvanilin]

Please check my comment on the code and have a think on how to change the code. Also, let me know if you don't have time to make the changes as I'd like to have this fixed asap and I know how to write the code haha

[razvanilin]

Returning a 200 is not enough. The email can still be guessed in two ways:

1. The data that is returned to the client differs. Look at result on line 316 and error on line 320
2. The request will finish faster or slower depending on whether there is an error or not

So how to deal with these?

1. Always return the same message. Something like { success: true } will do
2. Respond to the request right away and don't wait for the userController.requestPasswordReset() promise

[gkydev]

Sorry for it, i understand and fixing right away

[gkydev]

I did what you asked for but if i dont wait promises how can i return 400 in real error ?

[razvanilin]

There is no need to return an error here because this will tell the user if the email is in the system or not. So basically, someone could try out random emails to see if they have a Chartbrew account. This is a security issue.

Returning the same message all the time will stop attackers from finding valid email addresses.

[razvanilin]

Check comment

[razvanilin]

Always recommended to use a code editor that supports linting highlighting. This way you can check wether your code is respecting the guidelines of the project.

In the first line, you're missing a semicolon and the second one is missing spaces around the curly brackets.

https://app.codacy.com/gh/chartbrew/chartbrew/pullRequest?bid=25774484&prid=8190654

[gkydev]

Saw it and fixed thank you for explanation and your patience

[razvanilin]

Nice! looks good

Thanks for the PR

[gkydev]

Nice! looks good

Thanks for the PR

Thank you