From b82b43b4c64dc5bc705a439a214f9d1dc9976e21 Mon Sep 17 00:00:00 2001 From: Sebastian Rindom Date: Sat, 23 Oct 2021 13:07:41 +0200 Subject: [PATCH 1/2] fix: pull missing fields --- .../routes/store/customers/reset-password.js | 36 +++++++++---------- packages/medusa/src/services/customer.js | 11 +++++- 2 files changed, 28 insertions(+), 19 deletions(-) diff --git a/packages/medusa/src/api/routes/store/customers/reset-password.js b/packages/medusa/src/api/routes/store/customers/reset-password.js index 4242e0e8f5..93dba48351 100644 --- a/packages/medusa/src/api/routes/store/customers/reset-password.js +++ b/packages/medusa/src/api/routes/store/customers/reset-password.js @@ -24,7 +24,9 @@ import jwt from "jsonwebtoken" */ export default async (req, res) => { const schema = Validator.object().keys({ - email: Validator.string().email().required(), + email: Validator.string() + .email() + .required(), token: Validator.string().required(), password: Validator.string().required(), }) @@ -34,23 +36,21 @@ export default async (req, res) => { throw new MedusaError(MedusaError.Types.INVALID_DATA, error.details) } - try { - const customerService = req.scope.resolve("customerService") - let customer = await customerService.retrieveByEmail(value.email) + const customerService = req.scope.resolve("customerService") + let customer = await customerService.retrieveByEmail(value.email, { + select: ["id", "password_hash"], + }) - const decodedToken = await jwt.verify(value.token, customer.password_hash) - if (!decodedToken || customer.id !== decodedToken.customer_id) { - res.status(401).send("Invalid or expired password reset token") - return - } - - await customerService.update(customer.id, { - password: value.password, - }) - - customer = await customerService.retrieve(customer.id) - res.status(200).json({ customer }) - } catch (error) { - throw error + const decodedToken = jwt.verify(value.token, customer.password_hash) + if (!decodedToken || customer.id !== decodedToken.customer_id) { + res.status(401).send("Invalid or expired password reset token") + return } + + await customerService.update(customer.id, { + password: value.password, + }) + + customer = await customerService.retrieve(customer.id) + res.status(200).json({ customer }) } diff --git a/packages/medusa/src/services/customer.js b/packages/medusa/src/services/customer.js index bbe07131d7..8d36b07ce2 100644 --- a/packages/medusa/src/services/customer.js +++ b/packages/medusa/src/services/customer.js @@ -94,7 +94,16 @@ class CustomerService extends BaseService { * @return {string} the generated JSON web token */ async generateResetPasswordToken(customerId) { - const customer = await this.retrieve(customerId) + const customer = await this.retrieve(customerId, { + select: [ + "id", + "has_account", + "password_hash", + "email", + "first_name", + "last_name", + ], + }) if (!customer.has_account) { throw new MedusaError( From caa9ab81dfbc38c7c3500d3fe7e297d2a40b8f23 Mon Sep 17 00:00:00 2001 From: Sebastian Rindom Date: Sat, 23 Oct 2021 13:15:04 +0200 Subject: [PATCH 2/2] fix: add integration test --- .../api/__tests__/store/customer.js | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/integration-tests/api/__tests__/store/customer.js b/integration-tests/api/__tests__/store/customer.js index 0d59738059..425a48fb9a 100644 --- a/integration-tests/api/__tests__/store/customer.js +++ b/integration-tests/api/__tests__/store/customer.js @@ -264,4 +264,33 @@ describe("/store/customers", () => { expect(response.data.customer.billing_address_id).toEqual(null) }) }) + + describe("POST /store/customers/password-token", () => { + beforeEach(async () => { + const manager = dbConnection.manager + await manager.insert(Customer, { + id: "test_customer", + first_name: "John", + last_name: "Deere", + email: "john@deere.com", + password_hash: + "c2NyeXB0AAEAAAABAAAAAVMdaddoGjwU1TafDLLlBKnOTQga7P2dbrfgf3fB+rCD/cJOMuGzAvRdKutbYkVpuJWTU39P7OpuWNkUVoEETOVLMJafbI8qs8Qx/7jMQXkN", // password matching "test" + has_account: true, + }) + }) + + afterEach(async () => { + await doAfterEach() + }) + + it("creates token", async () => { + const api = useApi() + + const response = await api.post(`/store/customers/password-token`, { + email: "john@deere.com", + }) + + expect(response.status).toEqual(204) + }) + }) })