Fix JSON validation on update password

EventListener/RequestEventListener.php

@@ -72,18 +72,25 @@ public function decodeRequest(KernelEvent $event): void
         }
 
         if ('coop_tilleuls_forgot_password.reset' === $routeName) {
-            if (!\in_array($fieldName, $this->authorizedFields, true)) {
-                throw new UnauthorizedFieldException($fieldName);
-            }
-            $request->attributes->set('propertyName', $fieldName);
-            $request->attributes->set('value', $data[$fieldName]);
-        } else {
-            if ($this->userPasswordField !== $fieldName) {
-                throw new MissingFieldHttpException($this->userPasswordField);
+            foreach ($data as $fieldName => $value) {
+                if (\in_array($fieldName, $this->authorizedFields, true)) {
+                    $request->attributes->set('propertyName', $fieldName);
+                    $request->attributes->set('value', $value);
+
+                    return;
+                }
             }
 
-            $request->attributes->set($fieldName, $data[$fieldName]);
+            throw new UnauthorizedFieldException($fieldName);
         }
+
+        if (!empty($data[$this->userPasswordField])) {
+            $request->attributes->set($this->userPasswordField, $data[$this->userPasswordField]);
+
+            return;
+        }
+
+        throw new MissingFieldHttpException($this->userPasswordField);
     }
 
     public function getTokenFromRequest(KernelEvent $event): void

Resources/doc/getting_started.md

@@ -102,6 +102,7 @@ coop_tilleuls_forgot_password:
         class: 'App\Entity\User'          # User class fully qualified name (required)
         email_field: 'email'              # Email property in user class (optional, default value)
         password_field: 'password'        # Password property in user class (optional, default value)
+        authorized_fields: [ 'email' ]    # User properties authorized to reset the password (optional, default value)
     use_jms_serializer: false             # Switch between symfony's serializer component or JMS Serializer
 ```
 

features/bootstrap/FeatureContext.php

@@ -82,8 +82,8 @@ public function iHaveAnExpiredToken(): void
     }
 
     /**
-     * @Then I reset my password
-     * @Then I reset my password with my :propertyName ":value"
+     * @When I reset my password
+     * @When I reset my password with my :propertyName ":value"
      *
      * @param string $propertyName
      * @param string $value
@@ -149,6 +149,7 @@ public function thePageShouldNotBeFound(): void
      */
     public function theResponseShouldBeEmpty(): void
     {
+        dump($this->client->getResponse()->getContent());
         Assert::assertTrue(
             $this->client->getResponse()->isEmpty(),
             sprintf('Response is not valid: got %d', $this->client->getResponse()->getStatusCode())
@@ -179,7 +180,7 @@ public function theRequestShouldBeInvalidWithMessage($message): void
     }
 
     /**
-     * @Then I reset my password using invalid email address
+     * @When I reset my password using invalid email address
      */
     public function iResetMyPasswordUsingInvalidEmailAddress(): void
     {
@@ -198,15 +199,15 @@ public function iResetMyPasswordUsingInvalidEmailAddress(): void
     }
 
     /**
-     * @Then I reset my password using no parameter
+     * @When I reset my password using no parameter
      */
     public function iResetMyPasswordUsingNoParameter(): void
     {
         $this->client->request('POST', '/api/forgot-password/');
     }
 
     /**
-     * @Then I update my password
+     * @When I update my password
      */
     public function iUpdateMyPassword(): void
     {
@@ -220,14 +221,26 @@ public function iUpdateMyPassword(): void
             ['CONTENT_TYPE' => 'application/json'],
             <<<'JSON'
 {
+    "ignoreMe": "bar",
     "password": "foo"
 }
 JSON
         );
     }
 
     /**
-     * @Then I update my password using no password
+     * @Then the password should have been updated
+     */
+    public function thePasswordShouldHaveBeenUpdated(): void
+    {
+        $user = $this->doctrine->getManager()->getRepository(User::class)->findOneBy(['username' => 'JohnDoe']);
+
+        Assert::assertNotNull($user, 'Unable to retrieve User object.');
+        Assert::assertEquals('foo', $user->getPassword(), sprintf('User password hasn\'t be updated, expected "foo", got "%s".', $user->getPassword()));
+    }
+
+    /**
+     * @When I update my password using no password
      */
     public function iUpdateMyPasswordUsingNoPassword(): void
     {
@@ -237,7 +250,7 @@ public function iUpdateMyPasswordUsingNoPassword(): void
     }
 
     /**
-     * @Then I update my password using an invalid token
+     * @When I update my password using an invalid token
      */
     public function iUpdateMyPasswordUsingAnInvalidToken(): void
     {
@@ -256,7 +269,7 @@ public function iUpdateMyPasswordUsingAnInvalidToken(): void
     }
 
     /**
-     * @Then I update my password using an expired token
+     * @When I update my password using an expired token
      */
     public function iUpdateMyPasswordUsingAnExpiredToken(): void
     {
@@ -277,7 +290,7 @@ public function iUpdateMyPasswordUsingAnExpiredToken(): void
     }
 
     /**
-     * @Then I get a password token
+     * @When I get a password token
      */
     public function iGetAPasswordToken(): void
     {
@@ -302,7 +315,7 @@ public function iShouldGetAPasswordToken(): void
     }
 
     /**
-     * @Then I get a password token using an expired token
+     * @When I get a password token using an expired token
      */
     public function iGetAPasswordTokenUsingAnExpiredToken(): void
     {

features/forgotPassword.feature

@@ -42,6 +42,11 @@ Feature: I need to be able to reset my password
         When I update my password using no password
         Then the request should be invalid with message 'No parameter sent.'
 
+    Scenario: I can update my password using a valid token and a password
+        When I update my password
+        Then the response should be empty
+        And the password should have been updated
+
     Scenario: I can get a password token
         When I get a password token
         Then I should get a password token