fix regression with original patch for initiating/verifying forgotten password in same browser

299da42e · Zachary Carter · 8a63fbd9 · 299da42e · 299da42e
Commit 299da42e authored 12 years ago by Zachary Carter
--- a/lib/wsapi/email_for_token.js
+++ b/lib/wsapi/email_for_token.js
@@ -46,7 +46,7 @@ exports.process = function(req, res) {
      // browser as the initiator
      var must_auth = true;

-      if (uid && req.session.userid === uid &&
+      if (((uid && req.session.userid === uid) || !req.session.userid) &&
               typeof req.session.pendingReset === 'string' &&
               req.params.token === req.session.pendingReset) {
        must_auth = false;

--- a/tests/forgotten-pass-test.js
+++ b/tests/forgotten-pass-test.js
@@ -232,6 +232,7 @@ suite.addBatch({
      assert.equal(r.code, 200);
      var body = JSON.parse(r.body);
      assert.strictEqual(body.success, true);
+      assert.strictEqual(body.must_auth, false);
    }
  }
 });