add resetPasswordSuccessOnInvalidEmail

Author: dblythy

spec/ValidationAndPasswordsReset.spec.js

@@ -1083,7 +1083,7 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
       });
   });
 
-  it('should throw on an invalid reset password', async () => {
+  it('should throw on an invalid reset password with resetPasswordSuccessOnInvalidEmail', async () => {
     await reconfigureServer({
       appName: 'coolapp',
       publicServerURL: 'http://localhost:1337/1',
@@ -1092,6 +1092,9 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
         apiKey: 'k',
         domain: 'd',
       }),
+      passwordPolicy: {
+        resetPasswordSuccessOnInvalidEmail: false,
+      },
     });
     await expectAsync(Parse.User.requestPasswordReset('[email protected]')).toBeRejectedWith(
       new Parse.Error(

src/Options/Definitions.js

@@ -818,6 +818,13 @@ module.exports.PasswordPolicyOptions = {
       'Set the number of previous password that will not be allowed to be set as new password. If the option is not set or set to `0`, no previous passwords will be considered.<br><br>Valid values are >= `0` and <= `20`.<br>Default is `0`.',
     action: parsers.numberParser('maxPasswordHistory'),
   },
+  resetPasswordSuccessOnInvalidEmail: {
+    env: 'PARSE_SERVER_PASSWORD_POLICY_RESET_PASSWORD_SUCCESS_ON_INVALID_EMAIL',
+    help:
+      'Set to true if password resets should return success if the email is invalid<br><br>Default is `true`.',
+    action: parsers.booleanParser,
+    default: true,
+  },
   resetTokenReuseIfValid: {
     env: 'PARSE_SERVER_PASSWORD_POLICY_RESET_TOKEN_REUSE_IF_VALID',
     help:

src/Options/docs.js

@@ -190,6 +190,7 @@
  * @property {Boolean} doNotAllowUsername Set to `true` to disallow the username as part of the password.<br><br>Default is `false`.
  * @property {Number} maxPasswordAge Set the number of days after which a password expires. Login attempts fail if the user does not reset the password before expiration.
  * @property {Number} maxPasswordHistory Set the number of previous password that will not be allowed to be set as new password. If the option is not set or set to `0`, no previous passwords will be considered.<br><br>Valid values are >= `0` and <= `20`.<br>Default is `0`.
+ * @property {Boolean} resetPasswordSuccessOnInvalidEmail Set to true if password resets should return success if the email is invalid<br><br>Default is `true`.
  * @property {Boolean} resetTokenReuseIfValid Set to `true` if a password reset token should be reused in case another token is requested but there is a token that is still valid, i.e. has not expired. This avoids the often observed issue that a user requests multiple emails and does not know which link contains a valid token because each newly generated token would invalidate the previous token.<br><br>Default is `false`.
  * @property {Number} resetTokenValidityDuration Set the validity duration of the password reset token in seconds after which the token expires. The token is used in the link that is set in the email. After the token expires, the link becomes invalid and a new link has to be sent. If the option is not set or set to `undefined`, then the token never expires.<br><br>For example, to expire the token after 2 hours, set a value of 7200 seconds (= 60 seconds * 60 minutes * 2 hours).<br><br>Default is `undefined`.
  * @property {String} validationError Set the error message to be sent.<br><br>Default is `Password does not meet the Password Policy requirements.`

src/Options/index.js

@@ -487,6 +487,11 @@ export interface PasswordPolicyOptions {
   Default is `false`.
   :DEFAULT: false */
   resetTokenReuseIfValid: ?boolean;
+  /* Set to true if password resets should return success if the email is invalid
+  <br><br>
+  Default is `true`.
+  :DEFAULT: true */
+  resetPasswordSuccessOnInvalidEmail: ?boolean;
 }
 
 export interface FileUploadOptions {

src/Routers/UsersRouter.js

@@ -384,7 +384,7 @@ export class UsersRouter extends ClassesRouter {
     }
   }
 
-  handleResetRequest(req) {
+  async handleResetRequest(req) {
     this._throwOnBadEmailConfig(req);
 
     const { email } = req.body;
@@ -398,19 +398,22 @@ export class UsersRouter extends ClassesRouter {
       );
     }
     const userController = req.config.userController;
-    return userController.sendPasswordResetEmail(email).then(
-      () => {
-        return Promise.resolve({
-          response: {},
-        });
-      },
-      err => {
-        if (err.code === Parse.Error.OBJECT_NOT_FOUND) {
-          err.message = `A user with the email ${email} does not exist.`;
+    try {
+      await userController.sendPasswordResetEmail(email);
+      return {
+        response: {},
+      };
+    } catch (err) {
+      if (err.code === Parse.Error.OBJECT_NOT_FOUND) {
+        if (req.config.passwordPolicy.resetPasswordSuccessOnInvalidEmail) {
+          return {
+            response: {},
+          };
         }
-        throw err;
+        err.message = `A user with the email ${email} does not exist.`;
       }
-    );
+      throw err;
+    }
   }
 
   handleVerificationEmailRequest(req) {