Add missing encodeURIComponent on username password reset (#6278)

* Add missing encodeURIComponent on username * Add new unit test on encoded username password reset redirect
2019-12-17 03:15:29 +01:00
parent 2d665c96a3
commit d9f36b060e
2 changed files with 66 additions and 6 deletions
--- a/spec/ValidationAndPasswordsReset.spec.js
+++ b/spec/ValidationAndPasswordsReset.spec.js
@@ -463,7 +463,7 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
      });
  });

-  it('succeeds sending a password reset email if appName, publicServerURL, and email adapter are prodvided', done => {
+  it('succeeds sending a password reset email if appName, publicServerURL, and email adapter are provided', done => {
    reconfigureServer({
      appName: 'coolapp',
      publicServerURL: 'http://localhost:1337/1',
@@ -910,6 +910,65 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
    });
  });

+  it('should redirect with username encoded on success page', done => {
+    const user = new Parse.User();
+    const emailAdapter = {
+      sendVerificationEmail: () => Promise.resolve(),
+      sendPasswordResetEmail: options => {
+        request({
+          url: options.link,
+          followRedirects: false,
+        }).then(response => {
+          expect(response.status).toEqual(302);
+          const re = /http:\/\/localhost:8378\/1\/apps\/choose_password\?token=([a-zA-Z0-9]+)\&id=test\&username=zxcv%2B1/;
+          const match = response.text.match(re);
+          if (!match) {
+            fail('should have a token');
+            done();
+            return;
+          }
+          const token = match[1];
+
+          request({
+            url: 'http://localhost:8378/1/apps/test/request_password_reset',
+            method: 'POST',
+            body: { new_password: 'hello', token, username: 'zxcv+1' },
+            headers: {
+              'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            followRedirects: false,
+          }).then(response => {
+            expect(response.status).toEqual(302);
+            expect(response.text).toEqual(
+              'Found. Redirecting to http://localhost:8378/1/apps/password_reset_success.html?username=zxcv%2B1'
+            );
+            done();
+          });
+        });
+      },
+      sendMail: () => {},
+    };
+    reconfigureServer({
+      appName: 'emailing app',
+      verifyUserEmails: true,
+      emailAdapter: emailAdapter,
+      publicServerURL: 'http://localhost:8378/1',
+    }).then(() => {
+      user.setPassword('asdf');
+      user.setUsername('zxcv+1');
+      user.set('email', 'user@parse.com');
+      user.signUp().then(() => {
+        Parse.User.requestPasswordReset('user@parse.com', {
+          error: err => {
+            jfail(err);
+            fail('Should not fail');
+            done();
+          },
+        });
+      });
+    });
+  });
+
  it('should programmatically reset password on ajax request', async done => {
    const user = new Parse.User();
    const emailAdapter = {
--- a/src/Routers/PublicAPIRouter.js
+++ b/src/Routers/PublicAPIRouter.js
@@ -212,13 +212,14 @@ export class PublicAPIRouter extends PromiseRouter {
          }
        }

+        const encodedUsername = encodeURIComponent(username);
+        const location = result.success
+          ? `${config.passwordResetSuccessURL}?username=${encodedUsername}`
+          : `${config.choosePasswordURL}?${params}`;
+
        return Promise.resolve({
          status: 302,
-          location: `${
-            result.success
-              ? `${config.passwordResetSuccessURL}?username=${username}`
-              : `${config.choosePasswordURL}?${params}`
-          }`,
+          location,
        });
      });
  }