Merge pull request #1071 from Open-Earth-Foundation/fix/user-not-foun…

…d-for-password-reset fix: adds better token verification error handling
Open-Earth-Foundation · Jan 20, 2025 · 72b9448 · 72b9448
2 parents 0714716 + bb87f89
commit 72b9448
Showing 1 changed file with 19 additions and 5 deletions.
diff --git a/app/src/app/api/v0/auth/password/route.ts b/app/src/app/api/v0/auth/password/route.ts
@@ -14,17 +14,31 @@ export const POST = apiHandler(async (req: Request) => {
     throw createHttpError.InternalServerError("Configuration error");
   }
 
-  const resetTokenData = jwt.verify(
-    body.resetToken,
-    process.env.RESET_TOKEN_SECRET,
-  );
-  const email = (<any>resetTokenData).email;
+  // verify reset token
+
+  let resetTokenData;
+  try {
+    resetTokenData = jwt.verify(
+      body.resetToken,
+      process.env.RESET_TOKEN_SECRET,
+    );
+  } catch (error: any) {
+    // handle reset token errors
+    if (error.name === "TokenExpiredError") {
+      throw createHttpError.Unauthorized("Reset token has expired.");
+    } else {
+      throw createHttpError.Unauthorized("Invalid reset token.");
+    }
+  }
+
+  const email = (resetTokenData as any).email;
   const user = await db.models.User.findOne({ where: { email } });
 
   if (!user) {
     throw createHttpError.NotFound("User not found!");
   }
 
+  // Update user password
   user.passwordHash = await bcrypt.hash(body.newPassword, 12);
   await user.save();