eddyystop/feathers-service-verify-reset

Tokens passed back to client

brendan-myers opened this issue · 3 comments

I've been playing with the example, and I must be missing something really obvious!

It looks as though the resetToken and verifyToken need to be present in the user object (ie not removed by hooks) in order for the emailer function (passed to the verifyReset service) to use them in the emails that are sent to the user. However, this means they are included in the user object that's returned to the VerifyReset client.js calls.

In the console for the example app, I can call verifyReset.sendResetPassword("email@address.com", (e,u) => {console.log(u)}) to generate a resetToken, that's then passed straight back to me!

There must be some setting or something I missed, otherwise this would be a pretty massive security oversight!

Thanks for catching this. Data was being passed back for the unit tests, which I forgot to sanitize for production. 0.5.2 fixes this.

options.testMode can start the service in test mode. Test have been added to check the user data is sanitized in the callbacks.

There's a bug where the emailer is not passed all the data it needs. I'm working on it.

Fized in 0.5.3