bug getodk#930: added email property check, ensuring the correct resp…

…onse.
dev-rahulbhadoriya · Dec 14, 2023 · 09c05fb · 09c05fb
1 parent 43bd8a4
commit 09c05fb
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/resources/users.js b/lib/resources/users.js
@@ -55,7 +55,7 @@ module.exports = (service, endpoint) => {
 
     // TODO/SECURITY: subtle timing attack here.
     service.post('/users/reset/initiate', endpoint(({ Users, mail }, { auth, body, query }) =>
-      Users.getByEmail(body.email)
+      (!body.email ? Problem.user.propertyNotFound({ property: 'email' }) : Users.getByEmail(body.email)
         .then((maybeUser) => maybeUser
           .map((user) => ((isTrue(query.invalidate))
             ? auth.canOrReject('user.password.invalidate', user.actor)
@@ -70,7 +70,7 @@ module.exports = (service, endpoint) => {
               .then((existed) => ((existed === true)
                 ? mail(body.email, 'accountResetDeleted')
                 : resolve()))))
-          .then(success))));
+          .then(success)))));
 
     // TODO: some standard URL structure for RPC-style methods.
     service.post('/users/reset/verify', endpoint(({ Actors, Sessions, Users }, { body, auth }) =>