changepw doesn't reject the promise if [new] is empty

[laurpaik-zz]

Hi, I don't know if this was intentional/trying to teach us a lesson on thorough testing, but in the users controller, having no input for new password does not reject the promise. On the front-end, this means someone can have an empty form field for new password, and it will still successfully PATCH, but the password is still the same. I'm guessing there needs to be something along the lines of

req.body.passwords.new !== null ? user.setPassword(req.body.passwords.new) : Promise.reject(new HttpError(404))

around line 101?

[cob0910]

I used this template for my capstone and found a solution for this. I was about to open an issue when I found yours.

controllers/users.js

const changepw = (req, res, next) => {
  debug('Changing password');
  User.findOne({
    _id: req.params.id,
    token: req.user.token,
  }).then(user =>
      // needed to add this line to prevent false success message when no new password typed
      user && req.body.passwords.new !== '' && req.body.passwords.new !== undefined ? user.comparePassword(req.body.passwords.old) :
        Promise.reject(new HttpError(404))
  ).then(user => {
    user.password = req.body.passwords.new;
    return user.save();
  }).then((/* user */) =>
    res.sendStatus(204)
  ).catch(makeErrorHandler(res, next));
};