From d625a4cd0b1806225f82b4b72d0f4e70b0aa0a07 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Mon, 14 May 2012 13:00:33 -0600
Subject: [PATCH] issue #1592 - email_for_token returns need_password: true
when no password has been chosen.
---
lib/db/json.js | 2 +-
lib/db/mysql.js | 4 +--
lib/wsapi/email_for_token.js | 70 ++++++++++++++++++++++++++++--------
3 files changed, 58 insertions(+), 18 deletions(-)
diff --git a/lib/db/json.js b/lib/db/json.js
index e49615c1f..376a2a791 100644
--- a/lib/db/json.js
+++ b/lib/db/json.js
@@ -236,7 +236,7 @@ exports.emailForVerificationSecret = function(secret, cb) {
process.nextTick(function() {
sync();
if (!db.staged[secret]) return cb("no such secret");
- cb(null, db.staged[secret].email, db.staged[secret].existing_user);
+ cb(null, db.staged[secret].email, db.staged[secret].existing_user, db.staged[secret].passwd);
});
};
diff --git a/lib/db/mysql.js b/lib/db/mysql.js
index b2e123ae6..6a7b6f947 100644
--- a/lib/db/mysql.js
+++ b/lib/db/mysql.js
@@ -265,14 +265,14 @@ exports.haveVerificationSecret = function(secret, cb) {
exports.emailForVerificationSecret = function(secret, cb) {
client.query(
- "SELECT email, existing_user FROM staged WHERE secret = ?", [ secret ],
+ "SELECT email, existing_user, passwd FROM staged WHERE secret = ?", [ secret ],
function(err, rows) {
if (err) return cb("database unavailable");
// if the record was not found, fail out
if (!rows || rows.length != 1) return cb("no such secret");
- cb(null, rows[0].email, rows[0].existing_user);
+ cb(null, rows[0].email, rows[0].existing_user, rows[0].passwd);
});
};
diff --git a/lib/wsapi/email_for_token.js b/lib/wsapi/email_for_token.js
index f492bcff5..ac0a5d954 100644
--- a/lib/wsapi/email_for_token.js
+++ b/lib/wsapi/email_for_token.js
@@ -19,7 +19,7 @@ exports.args = ['token'];
exports.i18n = false;
exports.process = function(req, res) {
- db.emailForVerificationSecret(req.query.token, function(err, email, uid) {
+ db.emailForVerificationSecret(req.query.token, function(err, email, uid, hash) {
if (err) {
if (err === 'database unavailable') {
httputils.serviceUnavailable(res, err);
@@ -30,24 +30,64 @@ exports.process = function(req, res) {
});
}
} else {
- // must the user authenticate? This is true if they are not authenticated
- // as the uid who initiated the verification, and they are not on the same
- // browser as the initiator
- var must_auth = true;
+ function checkMustAuth() {
+ // must the user authenticate? This is true if they are not authenticated
+ // as the uid who initiated the verification, and they are not on the same
+ // browser as the initiator
+ var must_auth = true;
- if (uid && req.session.userid === uid) {
- must_auth = false;
+ if (uid && req.session.userid === uid) {
+ must_auth = false;
+ }
+ else if (!uid && typeof req.session.pendingCreation === 'string' &&
+ req.query.token === req.session.pendingCreation) {
+ must_auth = false;
+ }
+
+ res.json({
+ success: true,
+ email: email,
+ must_auth: must_auth
+ });
+ }
+
+ // backwards compatibility - issue #1592
+ // if there is no password in the user record, and no password in the staged
+ // table, then we require a password be fetched from the user upon verification.
+ // these checks are temporary and should disappear in 1 trains time.
+ function needsPassword() {
+ // no password is set neither in the user table nor in the staged record.
+ // the user must pick a password
+ res.json({
+ success: true,
+ email: email,
+ needs_password: true
+ });
}
- else if (!uid && typeof req.session.pendingCreation === 'string' &&
- req.query.token === req.session.pendingCreation) {
- must_auth = false;
+
+ if (!hash) {
+ if (!uid) {
+ needsPassword();
+ } else {
+ db.checkAuth(uid, function(err, hash) {
+ if (err) {
+ return res.json({
+ success: false,
+ reason: err
+ });
+ }
+
+ if (!hash) {
+ needsPassword();
+ } else {
+ checkMustAuth();
+ }
+ });
+ }
+ } else {
+ checkMustAuth();
}
- res.json({
- success: true,
- email: email,
- must_auth: must_auth
- });
}
});
};
--
GitLab