Fix resetting password (#21)

globaldothealth · Sep 8, 2023 · 2d0e9b8 · 2d0e9b8
1 parent e36788e
commit 2d0e9b8
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 20 deletions.
diff --git a/verification/curator-service/api/src/controllers/auth.ts b/verification/curator-service/api/src/controllers/auth.ts
@@ -22,7 +22,7 @@ import bcrypt from 'bcrypt';
 import * as crypto from 'crypto';
 import EmailClient from '../clients/email-client';
 import { ObjectId } from 'mongodb';
-import { baseURL, welcomeEmail } from '../util/instance-details';
+import { welcomeEmail } from '../util/instance-details';
 import { validateRecaptchaToken } from '../util/validate-recaptcha-token';
 import {
     setupFailedAttempts,
@@ -37,6 +37,7 @@ import {
     forgotPasswordLimiter,
     resetPasswordWithTokenLimiter,
 } from '../util/single-window-rate-limiters';
+import validateEnv from '../util/validate-env';
 
 // Global variable for newsletter acceptance
 let isNewsletterAccepted: boolean;
@@ -582,7 +583,8 @@ export class AuthController {
                         createdAt: Date.now(),
                     });
 
-                    const url = baseURL(this.disease, this.env);
+                    const cleanEnv = validateEnv();
+                    const url = cleanEnv.BASE_URL;
 
                     const resetLink = `${url}/reset-password/${resetToken}/${user._id}`;
 
@@ -637,7 +639,7 @@ export class AuthController {
 
                     // Check if token exists
                     const passwordResetToken = await tokens().findOne({
-                        userId,
+                        userId: new ObjectId(userId),
                     });
                     if (!passwordResetToken) {
                         updateFailedAttempts(
@@ -705,7 +707,7 @@ export class AuthController {
                     );
 
                     // Delete used token
-                    await passwordResetToken.deleteOne();
+                    await tokens().deleteOne({ userId: new ObjectId(userId) });
 
                     res.sendStatus(200);
                 } catch (err) {

diff --git a/verification/curator-service/api/src/util/instance-details.ts b/verification/curator-service/api/src/util/instance-details.ts
@@ -1,16 +1,3 @@
-const urlMap: { [idx: string]: { [idx: string]: string } } = {
-    'COVID-19': {
-        local: 'http://localhost:3002',
-        dev: 'https://dev-data.covid-19.global.health',
-        qa: 'https://qa-data.covid-19.global.health',
-        prod: 'https://data.covid-19.global.health',
-    },
-};
-
-export function baseURL(disease: string, environment: string): string {
-    return urlMap[disease]?.[environment] ?? 'http://localhost:3002';
-}
-
 const welcomeMessages: { [idx: string]: string } = {
     'COVID-19': `<p>Thank you for registering with Global.health! We're thrilled to have you join our international community and mission to advance the global response to infectious diseases through the sharing of trusted and open public health data.</p>
         <p>Here are a few things you can do:</p>

diff --git a/verification/curator-service/api/src/util/validate-env.ts b/verification/curator-service/api/src/util/validate-env.ts
@@ -5,11 +5,13 @@ export default function validateEnv(): Readonly<{
     AWS_ACCESS_KEY_ID: string;
     AWS_SECRET_ACCESS_KEY: string;
     AWS_SERVICE_REGION: string;
+    BASE_URL: string;
     COMPLETE_DATA_BUCKET: string;
     COUNTRY_DATA_BUCKET: string;
     CURATOR_VERSION: string;
     DATASERVER_URL: string;
     DB_CONNECTION_STRING: string;
+    DISEASE_NAME: string;
     EMAIL_USER_ADDRESS: string;
     ENABLE_LOCAL_AUTH: boolean;
     EVENT_ROLE_ARN: string;
@@ -19,12 +21,11 @@ export default function validateEnv(): Readonly<{
     LOCATION_SERVICE_URL: string;
     JOB_QUEUE_ARN: string;
     PORT: number;
+    REACT_APP_RECAPTCHA_SITE_KEY: string;
+    RECAPTCHA_SECRET_KEY: string;
     SERVICE_ENV: string;
     SESSION_COOKIE_KEY: string;
     STATIC_DIR: string;
-    DISEASE_NAME: string;
-    REACT_APP_RECAPTCHA_SITE_KEY: string;
-    RECAPTCHA_SECRET_KEY: string;
 }> & {
     readonly [varName: string]: string | boolean | number | undefined;
     // eslint-disable-next-line indent
@@ -48,6 +49,10 @@ export default function validateEnv(): Readonly<{
             desc: 'AWS region in which to interact with services/resources',
             default: 'eu-central-1',
         }),
+        BASE_URL: str({
+            desc: 'URL of the application, used for generating reset password link',
+            devDefault: 'http://localhost:3002',
+        }),
         COMPLETE_DATA_BUCKET: str({
             desc: 'S3 bucket containing case data by country',
             devDefault: 'covid-19-data-export-dev-eu',