From a607b53f7cfa1caac631ad7fdc09838c9f23b149 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Tue, 3 Jul 2012 12:36:48 +0100
Subject: [PATCH] add tests of email_for_token in the context of password
 reset, remove old transitional code, fix exception in complete_reset api that
 was preventing authentication of user.

---
 lib/wsapi/complete_reset.js  |  3 +-
 lib/wsapi/email_for_token.js | 89 +++++++++++++++---------------------
 tests/forgotten-pass-test.js | 14 ++++++
 3 files changed, 52 insertions(+), 54 deletions(-)

diff --git a/lib/wsapi/complete_reset.js b/lib/wsapi/complete_reset.js
index 50defe478..5a00e91dd 100644
--- a/lib/wsapi/complete_reset.js
+++ b/lib/wsapi/complete_reset.js
@@ -7,7 +7,8 @@ db = require('../db.js'),
 logger = require('../logging.js').logger,
 wsapi = require('../wsapi.js'),
 bcrypt = require('../bcrypt.js'),
-httputils = require('../httputils.js');
+httputils = require('../httputils.js'),
+config = require('../configuration.js');
 
 exports.method = 'post';
 exports.writes_db = true;
diff --git a/lib/wsapi/email_for_token.js b/lib/wsapi/email_for_token.js
index ac0a5d954..da6bb87d9 100644
--- a/lib/wsapi/email_for_token.js
+++ b/lib/wsapi/email_for_token.js
@@ -4,7 +4,8 @@
 
 const
 db = require('../db.js'),
-httputils = require('../httputils.js');
+httputils = require('../httputils.js'),
+logger = require('../logging.js').logger;
 
 /* First half of account creation.  Stages a user account for creation.
  * this involves creating a secret url that must be delivered to the
@@ -22,72 +23,54 @@ exports.process = function(req, res) {
   db.emailForVerificationSecret(req.query.token, function(err, email, uid, hash) {
     if (err) {
       if (err === 'database unavailable') {
-        httputils.serviceUnavailable(res, err);
+        return httputils.serviceUnavailable(res, err);
       } else {
-        res.json({
+        return res.json({
           success: false,
           reason: err
         });
       }
-    } else {
-      function checkMustAuth() {
-        // must the user authenticate?  This is true if they are not authenticated
-        // as the uid who initiated the verification, and they are not on the same
-        // browser as the initiator
-        var must_auth = true;
+    } 
 
-        if (uid && req.session.userid === uid) {
-          must_auth = false;
-        }
-        else if (!uid && typeof req.session.pendingCreation === 'string' &&
-                 req.query.token === req.session.pendingCreation) {
-          must_auth = false;
-        }
+    function checkMustAuth() {
+      // must the user authenticate?  This is true if they are not authenticated
+      // as the uid who initiated the verification, and they are not on the same
+      // browser as the initiator
+      var must_auth = true;
 
-        res.json({
-          success: true,
-          email: email,
-          must_auth: must_auth
-        });
+      if (uid && req.session.userid === uid) {
+        must_auth = false;
       }
-
-      // backwards compatibility - issue #1592
-      // if there is no password in the user record, and no password in the staged
-      // table, then we require a password be fetched from the user upon verification.
-      // these checks are temporary and should disappear in 1 trains time.
-      function needsPassword() {
-        // no password is set neither in the user table nor in the staged record.
-        // the user must pick a password
-        res.json({
-          success: true,
-          email: email,
-          needs_password: true
-        });
+      else if (typeof req.session.pendingCreation === 'string' &&
+               req.query.token === req.session.pendingCreation) {
+        must_auth = false;
       }
 
-      if (!hash) {
-        if (!uid) {
-          needsPassword();
-        } else {
-          db.checkAuth(uid, function(err, hash) {
-            if (err) {
-              return res.json({
-                success: false,
-                reason: err
-              });
-            }
+      res.json({
+        success: true,
+        email: email,
+        must_auth: must_auth
+      });
+    }
 
-            if (!hash) {
-              needsPassword();
-            } else {
-              checkMustAuth();
-            }
+    if (!hash) {
+      // if no password is set in the stage table, this is probably an email addition
+      db.checkAuth(uid, function(err, hash) {
+        if (err) {
+          return res.json({
+            success: false,
+            reason: err
+          });
+        } else if (!hash) {
+          return res.json({
+            success: false,
+            reason: "missing password for user"
           });
         }
-      } else {
         checkMustAuth();
-      }
-
+      });
+    } else {
+      checkMustAuth();
     }
   });
 };
diff --git a/tests/forgotten-pass-test.js b/tests/forgotten-pass-test.js
index f10ee1897..42ea5f2c9 100755
--- a/tests/forgotten-pass-test.js
+++ b/tests/forgotten-pass-test.js
@@ -201,6 +201,20 @@ suite.addBatch({
   }
 });
 
+suite.addBatch({
+  "given a token, getting an email": {
+    topic: function() {
+      wsapi.get('/wsapi/email_for_token', { token: token }).call(this);
+    },
+    "account created": function(err, r) {
+      assert.equal(r.code, 200);
+      var body = JSON.parse(r.body);
+      console.log(body);
+      assert.strictEqual(body.success, true);
+    }
+  }
+});
+
 // now let's complete the re-registration of first email address
 suite.addBatch({
   "complete password reset": {
-- 
GitLab