diff --git a/routes/api/account/index.js b/routes/api/account/index.js index b58fd2ce0..434edc58d 100644 --- a/routes/api/account/index.js +++ b/routes/api/account/index.js @@ -20,26 +20,29 @@ router.get('/', authorization.needed(), (req, res, next) => { * @param {Function} verifier the function used to verify the token, will throw on error * @param {Object} error the error object to send back in the event an error is found */ -const verifyTokenOnCheck = (verifier, error) => async (req, res, next) => { - const {token, check = false} = req.body; - - if (!token) { - return next(error); - } +const tokenCheck = (verifier, error) => async (req, res, next) => { + const {token = null, check = false} = req.body; if (check) { + + // This request is checking to see if the token is valid. try { + + // Verify the token. await verifier(token); - - res.status(204).end(); - - // Don't continue to pass it onto the next middleware, as we've only been - // asked to verify the token. - return; } catch (err) { + + // Log out the error, slurp it and send out the predefined error to the + // error handler. console.error(err); return next(error); } + + res.status(204).end(); + + // Don't continue to pass it onto the next middleware, as we've only been + // asked to verify the token. + return; } next(); @@ -48,7 +51,7 @@ const verifyTokenOnCheck = (verifier, error) => async (req, res, next) => { // POST /email/confirm takes the password confirmation token available as a // payload parameter and if it verifies, it updates the confirmed_at date on the // local profile. -router.post('/email/verify', verifyTokenOnCheck(UsersService.verifyEmailConfirmationToken, errors.ErrEmailVerificationToken), async (req, res, next) => { +router.post('/email/verify', tokenCheck(UsersService.verifyEmailConfirmationToken, errors.ErrEmailVerificationToken), async (req, res, next) => { const {token} = req.body; try { @@ -86,7 +89,7 @@ router.post('/password/reset', async (req, res, next) => { } }); -router.put('/password/reset', verifyTokenOnCheck(UsersService.verifyPasswordResetToken, errors.ErrPasswordResetToken), async (req, res, next) => { +router.put('/password/reset', tokenCheck(UsersService.verifyPasswordResetToken, errors.ErrPasswordResetToken), async (req, res, next) => { const {token, password} = req.body; if (!password || password.length < 8) { diff --git a/services/users.js b/services/users.js index a82aee8c4..9159ef5a6 100644 --- a/services/users.js +++ b/services/users.js @@ -634,6 +634,10 @@ module.exports = class UsersService { * @param {String} token the JSON Web Token to verify */ static async verifyPasswordResetToken(token) { + if (!token) { + throw new Error('cannot verify an empty token'); + } + const {userId, loc, version} = await UsersService.verifyToken(token, { subject: PASSWORD_RESET_JWT_SUBJECT }); @@ -777,6 +781,10 @@ module.exports = class UsersService { * @param {String} token the token to verify */ static async verifyEmailConfirmationToken(token) { + if (!token) { + throw new Error('cannot verify an empty token'); + } + const decoded = await UsersService.verifyToken(token, { subject: EMAIL_CONFIRM_JWT_SUBJECT });