From b71da7dcc9873aa5a17a0393197e38947c5a7d9b Mon Sep 17 00:00:00 2001 From: Divlo Date: Mon, 29 Aug 2022 16:32:24 +0000 Subject: [PATCH] fix: on password reset, delete all refresh tokens --- src/services/users/reset-password/__test__/put.test.ts | 5 +++++ src/services/users/reset-password/put.ts | 7 ++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/services/users/reset-password/__test__/put.test.ts b/src/services/users/reset-password/__test__/put.test.ts index 8f5f6aa..931c19c 100644 --- a/src/services/users/reset-password/__test__/put.test.ts +++ b/src/services/users/reset-password/__test__/put.test.ts @@ -25,6 +25,11 @@ await tap.test('PUT /users/reset-password', async (t) => { return userExample } }) + sinon.stub(prisma, 'refreshToken').value({ + deleteMany: async () => { + return { count: 1 } + } + }) const response = await application.inject({ method: 'PUT', url: '/users/reset-password', diff --git a/src/services/users/reset-password/put.ts b/src/services/users/reset-password/put.ts index 8c1fbc0..dd8f71a 100644 --- a/src/services/users/reset-password/put.ts +++ b/src/services/users/reset-password/put.ts @@ -39,7 +39,7 @@ export const putResetPasswordUser: FastifyPluginAsync = async (fastify) => { user?.temporaryExpirationToken != null && user.temporaryExpirationToken.getTime() > Date.now() if (user == null || !isValidTemporaryToken) { - throw fastify.httpErrors.badRequest('"tempToken" is invalid') + throw fastify.httpErrors.badRequest('`temporaryToken` is invalid.') } const hashedPassword = await bcrypt.hash(password, 12) await prisma.user.update({ @@ -52,6 +52,11 @@ export const putResetPasswordUser: FastifyPluginAsync = async (fastify) => { temporaryExpirationToken: null } }) + await prisma.refreshToken.deleteMany({ + where: { + userId: user.id + } + }) reply.statusCode = 200 return 'The new password has been saved!' }