feat: Add Parse Server option resetPasswordSuccessOnInvalidEmail to…

… choose success or error response on password reset with invalid email (parse-community#7551)
mtrezza · Feb 24, 2023 · e5d610e · e5d610e
1 parent 5477848
commit e5d610e
Show file tree

Hide file tree

Showing 6 changed files with 73 additions and 16 deletions.
diff --git a/spec/ValidationAndPasswordsReset.spec.js b/spec/ValidationAndPasswordsReset.spec.js
@@ -1082,4 +1082,43 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
  done();
  });
  });
+
+ it('should throw on an invalid reset password', async () => {
+ await reconfigureServer({
+ appName: 'coolapp',
+ publicServerURL: 'http://localhost:1337/1',
+ emailAdapter: MockEmailAdapterWithOptions({
+ fromAddress: 'parse@example.com',
+ apiKey: 'k',
+ domain: 'd',
+ }),
+ passwordPolicy: {
+ resetPasswordSuccessOnInvalidEmail: false,
+ },
+ });
+
+ await expectAsync(Parse.User.requestPasswordReset('test@example.com')).toBeRejectedWith(
+ new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'A user with that email does not exist.')
+ );
+ });
+
+ it('validate resetPasswordSuccessonInvalidEmail', async () => {
+ const invalidValues = [[], {}, 1, 'string'];
+ for (const value of invalidValues) {
+ await expectAsync(
+ reconfigureServer({
+ appName: 'coolapp',
+ publicServerURL: 'http://localhost:1337/1',
+ emailAdapter: MockEmailAdapterWithOptions({
+ fromAddress: 'parse@example.com',
+ apiKey: 'k',
+ domain: 'd',
+ }),
+ passwordPolicy: {
+ resetPasswordSuccessOnInvalidEmail: value,
+ },
+ })
+ ).toBeRejectedWith('resetPasswordSuccessOnInvalidEmail must be a boolean value');
+ }
+ });
 });
diff --git a/src/Config.js b/src/Config.js
@@ -376,6 +376,13 @@ export class Config {
  if (passwordPolicy.resetTokenReuseIfValid && !passwordPolicy.resetTokenValidityDuration) {
  throw 'You cannot use resetTokenReuseIfValid without resetTokenValidityDuration';
  }
+
+ if (
+ passwordPolicy.resetPasswordSuccessOnInvalidEmail &&
+ typeof passwordPolicy.resetPasswordSuccessOnInvalidEmail !== 'boolean'
+ ) {
+ throw 'resetPasswordSuccessOnInvalidEmail must be a boolean value';
+ }
  }
  }
 

diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
@@ -907,6 +907,13 @@ module.exports.PasswordPolicyOptions = {
  'Set the number of previous password that will not be allowed to be set as new password. If the option is not set or set to `0`, no previous passwords will be considered.<br><br>Valid values are >= `0` and <= `20`.<br>Default is `0`.',
  action: parsers.numberParser('maxPasswordHistory'),
  },
+ resetPasswordSuccessOnInvalidEmail: {
+ env: 'PARSE_SERVER_PASSWORD_POLICY_RESET_PASSWORD_SUCCESS_ON_INVALID_EMAIL',
+ help:
+ 'Set to `true` if a request to reset the password should return a success response even if the provided email address is invalid, or `false` if the request should return an error response if the email address is invalid.<br><br>Default is `true`.',
+ action: parsers.booleanParser,
+ default: true,
+ },
  resetTokenReuseIfValid: {
  env: 'PARSE_SERVER_PASSWORD_POLICY_RESET_TOKEN_REUSE_IF_VALID',
  help:

diff --git a/src/Options/docs.js b/src/Options/docs.js
diff --git a/src/Options/index.js b/src/Options/index.js
@@ -525,6 +525,11 @@ export interface PasswordPolicyOptions {
  Default is `false`.
  :DEFAULT: false */
  resetTokenReuseIfValid: ?boolean;
+ /* Set to `true` if a request to reset the password should return a success response even if the provided email address is invalid, or `false` if the request should return an error response if the email address is invalid.
+ <br><br>
+ Default is `true`.
+ :DEFAULT: true */
+ resetPasswordSuccessOnInvalidEmail: ?boolean;
 }
 
 export interface FileUploadOptions {

diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js
@@ -414,7 +414,7 @@ export class UsersRouter extends ClassesRouter {
  }
  }
 
- handleResetRequest(req) {
+ async handleResetRequest(req) {
  this._throwOnBadEmailConfig(req);
 
  const { email } = req.body;
@@ -428,24 +428,22 @@ export class UsersRouter extends ClassesRouter {
  );
  }
  const userController = req.config.userController;
- return userController.sendPasswordResetEmail(email).then(
- () => {
- return Promise.resolve({
- response: {},
- });
- },
- err => {
- if (err.code === Parse.Error.OBJECT_NOT_FOUND) {
- // Return success so that this endpoint can't
- // be used to enumerate valid emails
- return Promise.resolve({
+ try {
+ await userController.sendPasswordResetEmail(email);
+ return {
+ response: {},
+ };
+ } catch (err) {
+ if (err.code === Parse.Error.OBJECT_NOT_FOUND) {
+ if (req.config.passwordPolicy?.resetPasswordSuccessOnInvalidEmail ?? true) {
+ return {
  response: {},
- });
- } else {
- throw err;
+ };
  }
+ err.message = `A user with that email does not exist.`;
  }
- );
+ throw err;
+ }
  }
 
  handleVerificationEmailRequest(req) {