I am using Meteor and its account system. My enrollment process involves a few steps on resetting the password.
Template['enrollment'].events({
'submit #reset-password-form': function (e, template) {
e.preventDefault();
let token = Session.get('_resetPasswordToken');
let user = Meteor.users.findOne({ "services.password.reset.token": token });
let password = $(e.target).find('input#password').val();
if (AutoForm.validateForm('reset-password-form')) {
resetPasswordAsync(token, password)
.then(() => {
return Meteor.promise('Orders.initialize', template.data);
})
// a few more `.then()s`
.catch((error) => {
Notify.warn(error.message);
Meteor.call('User._resetToken', user, token);
})
}
}
});
The reason for this is because if anything fails in the promise chain, then they will remain on the same page but have an "uninitialized" state.
I use a meteor method, because a user should not be able to change his/her services to change their token back.
Meteor.methods({
'User._resetToken': function (user, token) {
check(user, Meteor.users.simpleSchema());
check(token, String);
Meteor.users.update(user._id, {
"services.password.reset.token": token
});
}
});
I vaguely feel like this is insecure, but can't quite tell why. Is there any exploits where resetting the user token on a callback can be exploited?
Aucun commentaire:
Enregistrer un commentaire