Reuse tokens if they haven't expired

Author: dblythy

spec/EmailVerificationToken.spec.js

@@ -510,7 +510,7 @@ describe('Email Verification Token Expiration: ', () => {
           userAfterEmailReset._email_verify_token
         );
         expect(userBeforeEmailReset._email_verify_token_expires_at).not.toEqual(
-          userAfterEmailReset.__email_verify_token_expires_at
+          userAfterEmailReset._email_verify_token_expires_at
         );
         expect(sendEmailOptions).toBeDefined();
         done();
@@ -594,7 +594,88 @@ describe('Email Verification Token Expiration: ', () => {
           userAfterRequest._email_verify_token
         );
         expect(userBeforeRequest._email_verify_token_expires_at).not.toEqual(
-          userAfterRequest.__email_verify_token_expires_at
+          userAfterRequest._email_verify_token_expires_at
+        );
+        done();
+      })
+      .catch(error => {
+        jfail(error);
+        done();
+      });
+  });
+
+  it('should match codes with emailVerifyTokenReuseIfValid', done => {
+    const user = new Parse.User();
+    let sendEmailOptions;
+    let sendVerificationEmailCallCount = 0;
+    let userBeforeRequest;
+    const emailAdapter = {
+      sendVerificationEmail: options => {
+        sendEmailOptions = options;
+        sendVerificationEmailCallCount++;
+      },
+      sendPasswordResetEmail: () => Promise.resolve(),
+      sendMail: () => {},
+    };
+    reconfigureServer({
+      appName: 'emailVerifyToken',
+      verifyUserEmails: true,
+      emailAdapter: emailAdapter,
+      emailVerifyTokenValidityDuration: 5 * 60, // 5 minutes
+      publicServerURL: 'http://localhost:8378/1',
+      emailVerifyTokenReuseIfValid: true,
+    })
+      .then(() => {
+        user.setUsername('resends_verification_token');
+        user.setPassword('expiringToken');
+        user.set('email', '[email protected]');
+        return user.signUp();
+      })
+      .then(() => {
+        const config = Config.get('test');
+        return config.database
+          .find('_User', { username: 'resends_verification_token' })
+          .then(results => {
+            return results[0];
+          });
+      })
+      .then(newUser => {
+        // store this user before we make our email request
+        userBeforeRequest = newUser;
+        expect(sendVerificationEmailCallCount).toBe(1);
+
+        return request({
+          url: 'http://localhost:8378/1/verificationEmailRequest',
+          method: 'POST',
+          body: {
+            email: '[email protected]',
+          },
+          headers: {
+            'X-Parse-Application-Id': Parse.applicationId,
+            'X-Parse-REST-API-Key': 'rest',
+            'Content-Type': 'application/json',
+          },
+        });
+      })
+      .then(response => {
+        expect(response.status).toBe(200);
+        expect(sendVerificationEmailCallCount).toBe(2);
+        expect(sendEmailOptions).toBeDefined();
+
+        // query for this user again
+        const config = Config.get('test');
+        return config.database
+          .find('_User', { username: 'resends_verification_token' })
+          .then(results => {
+            return results[0];
+          });
+      })
+      .then(userAfterRequest => {
+        // verify that our token & expiration has been changed for this new request
+        expect(typeof userAfterRequest).toBe('object');
+        expect(userBeforeRequest._email_verify_token).toEqual(userAfterRequest._email_verify_token);
+        expect(userBeforeRequest._email_verify_token_expires_at).toEqual(
+          userAfterRequest._email_verify_token_expires_at
         );
         done();
       })

spec/PasswordPolicy.spec.js

@@ -122,6 +122,103 @@ describe('Password Policy: ', () => {
       });
   });
 
+  it('should not keep reset token', done => {
+    const user = new Parse.User();
+    const sendEmailOptions = [];
+    const emailAdapter = {
+      sendVerificationEmail: () => Promise.resolve(),
+      sendPasswordResetEmail: options => {
+        sendEmailOptions.push(options);
+      },
+      sendMail: () => {},
+    };
+    reconfigureServer({
+      appName: 'passwordPolicy',
+      emailAdapter: emailAdapter,
+      passwordPolicy: {
+        resetTokenValidityDuration: 5 * 60, // 5 minutes
+      },
+      publicServerURL: 'http://localhost:8378/1',
+    })
+      .then(() => {
+        user.setUsername('testResetTokenValidity');
+        user.setPassword('original');
+        user.set('email', '[email protected]');
+        return user.signUp();
+      })
+      .then(() => {
+        return Parse.User.requestPasswordReset('[email protected]').catch(err => {
+          jfail(err);
+          fail('Reset password request should not fail');
+          done();
+        });
+      })
+      .then(() => {
+        return Parse.User.requestPasswordReset('[email protected]').catch(err => {
+          jfail(err);
+          fail('Reset password request should not fail');
+          done();
+        });
+      })
+      .then(() => {
+        expect(sendEmailOptions[0].link).not.toBe(sendEmailOptions[1].link);
+        done();
+      })
+      .catch(err => {
+        jfail(err);
+        done();
+      });
+  });
+
+  it('should keep reset token with resetTokenReuseIfValid', done => {
+    const user = new Parse.User();
+    const sendEmailOptions = [];
+    const emailAdapter = {
+      sendVerificationEmail: () => Promise.resolve(),
+      sendPasswordResetEmail: options => {
+        sendEmailOptions.push(options);
+      },
+      sendMail: () => {},
+    };
+    reconfigureServer({
+      appName: 'passwordPolicy',
+      emailAdapter: emailAdapter,
+      passwordPolicy: {
+        resetTokenValidityDuration: 5 * 60, // 5 minutes
+        resetTokenReuseIfValid: true,
+      },
+      publicServerURL: 'http://localhost:8378/1',
+    })
+      .then(() => {
+        user.setUsername('testResetTokenValidity');
+        user.setPassword('original');
+        user.set('email', '[email protected]');
+        return user.signUp();
+      })
+      .then(() => {
+        return Parse.User.requestPasswordReset('[email protected]').catch(err => {
+          jfail(err);
+          fail('Reset password request should not fail');
+          done();
+        });
+      })
+      .then(() => {
+        return Parse.User.requestPasswordReset('[email protected]').catch(err => {
+          jfail(err);
+          fail('Reset password request should not fail');
+          done();
+        });
+      })
+      .then(() => {
+        expect(sendEmailOptions[0].link).toBe(sendEmailOptions[1].link);
+        done();
+      })
+      .catch(err => {
+        jfail(err);
+        done();
+      });
+  });
+
   it('should fail if passwordPolicy.resetTokenValidityDuration is not a number', done => {
     reconfigureServer({
       appName: 'passwordPolicy',

src/Controllers/UserController.js

@@ -81,30 +81,27 @@ export class UserController extends AdaptableController {
   }
 
   checkResetTokenValidity(username, token) {
-    return this.config.database
-      .find(
-        '_User',
-        {
-          username: username,
-          _perishable_token: token,
-        },
-        { limit: 1 }
-      )
-      .then(results => {
-        if (results.length != 1) {
-          throw 'Failed to reset password: username / email / token is invalid';
-        }
+    let query = {
+      username: username,
+      _perishable_token: token,
+    };
+    if (!token) {
+      query = { $or: [{ email: username }, { username, email: { $exists: false } }] };
+    }
+    return this.config.database.find('_User', query, { limit: 1 }).then(results => {
+      if (results.length != 1) {
+        throw 'Failed to reset password: username / email / token is invalid';
+      }
 
-        if (this.config.passwordPolicy && this.config.passwordPolicy.resetTokenValidityDuration) {
-          let expiresDate = results[0]._perishable_token_expires_at;
-          if (expiresDate && expiresDate.__type == 'Date') {
-            expiresDate = new Date(expiresDate.iso);
-          }
-          if (expiresDate < new Date()) throw 'The password reset link has expired';
+      if (this.config.passwordPolicy && this.config.passwordPolicy.resetTokenValidityDuration) {
+        let expiresDate = results[0]._perishable_token_expires_at;
+        if (expiresDate && expiresDate.__type == 'Date') {
+          expiresDate = new Date(expiresDate.iso);
         }
-
-        return results[0];
-      });
+        if (expiresDate < new Date()) throw 'The password reset link has expired';
+      }
+      return results[0];
+    });
   }
 
   getUserIfNeeded(user) {
@@ -158,6 +155,15 @@ export class UserController extends AdaptableController {
    * @returns {*}
    */
   regenerateEmailVerifyToken(user) {
+    const { _email_verify_token, _email_verify_token_expires_at } = user;
+    if (
+      this.config.emailVerifyTokenReuseIfValid &&
+      this.config.emailVerifyTokenValidityDuration &&
+      _email_verify_token &&
+      new Date() < new Date(_email_verify_token_expires_at)
+    ) {
+      return Promise.resolve();
+    }
     this.setEmailVerifyToken(user);
     return this.config.database.update('_User', { username: user.username }, user);
   }
@@ -191,36 +197,42 @@ export class UserController extends AdaptableController {
     );
   }
 
-  sendPasswordResetEmail(email) {
+  async sendPasswordResetEmail(email) {
     if (!this.adapter) {
       throw 'Trying to send a reset password but no adapter is set';
       //  TODO: No adapter?
     }
-
-    return this.setPasswordResetToken(email).then(user => {
-      const token = encodeURIComponent(user._perishable_token);
-      const username = encodeURIComponent(user.username);
-
-      const link = buildEmailLink(
-        this.config.requestResetPasswordURL,
-        username,
-        token,
-        this.config
-      );
-      const options = {
-        appName: this.config.appName,
-        link: link,
-        user: inflate('_User', user),
-      };
-
-      if (this.adapter.sendPasswordResetEmail) {
-        this.adapter.sendPasswordResetEmail(options);
-      } else {
-        this.adapter.sendMail(this.defaultResetPasswordEmail(options));
+    let user;
+    if (
+      this.config.passwordPolicy.resetTokenReuseIfValid &&
+      this.config.resetTokenValidityDuration
+    ) {
+      try {
+        user = await this.checkResetTokenValidity(email);
+      } catch (e) {
+        /* */
       }
+    }
+    if (!user || !user._perishable_token) {
+      user = await this.setPasswordResetToken(email);
+    }
+    const token = encodeURIComponent(user._perishable_token);
+    const username = encodeURIComponent(user.username);
+
+    const link = buildEmailLink(this.config.requestResetPasswordURL, username, token, this.config);
+    const options = {
+      appName: this.config.appName,
+      link: link,
+      user: inflate('_User', user),
+    };
 
-      return Promise.resolve(user);
-    });
+    if (this.adapter.sendPasswordResetEmail) {
+      this.adapter.sendPasswordResetEmail(options);
+    } else {
+      this.adapter.sendMail(this.defaultResetPasswordEmail(options));
+    }
+
+    return Promise.resolve(user);
   }
 
   updatePassword(username, token, password) {

src/Options/Definitions.js

@@ -125,6 +125,12 @@ module.exports.ParseServerOptions = {
     help: 'Adapter module for email sending',
     action: parsers.moduleOrObjectParser,
   },
+  emailVerifyTokenReuseIfValid: {
+    env: 'PARSE_SERVER_EMAIL_VERIFY_TOKEN_REUSE_IF_VALID',
+    help: 'an existing password reset token should be reused when a password reset is requested',
+    action: parsers.booleanParser,
+    default: false,
+  },
   emailVerifyTokenValidityDuration: {
     env: 'PARSE_SERVER_EMAIL_VERIFY_TOKEN_VALIDITY_DURATION',
     help: 'Email verification token validity duration, in seconds',

src/Options/docs.js

@@ -23,6 +23,7 @@
  * @property {Boolean} directAccess Replace HTTP Interface when using JS SDK in current node runtime, defaults to false. Caution, this is an experimental feature that may not be appropriate for production.
  * @property {String} dotNetKey Key for Unity and .Net SDK
  * @property {Adapter<MailAdapter>} emailAdapter Adapter module for email sending
+ * @property {Boolean} emailVerifyTokenReuseIfValid an existing password reset token should be reused when a password reset is requested
  * @property {Number} emailVerifyTokenValidityDuration Email verification token validity duration, in seconds
  * @property {Boolean} enableAnonymousUsers Enable (or disable) anonymous users, defaults to true
  * @property {Boolean} enableExpressErrorHandler Enables the default express error handler for all errors

src/Options/index.js

@@ -124,6 +124,9 @@ export interface ParseServerOptions {
   preventLoginWithUnverifiedEmail: ?boolean;
   /* Email verification token validity duration, in seconds */
   emailVerifyTokenValidityDuration: ?number;
+  /* an existing password reset token should be reused when resend verification is requested
+  :DEFAULT: false */
+  emailVerifyTokenReuseIfValid: ?boolean;
   /* account lockout policy for failed login attempts */
   accountLockout: ?any;
   /* Password policy for enforcing password related rules */