Merge pull request #9179 from weseek/fix/154291-fix-password-api

fix: Forgot password API - reject requests with invalid email format

apps/app/src/server/middlewares/apiv3-form-validator.ts

@@ -1,5 +1,5 @@
 import { ErrorV3 } from '@growi/core/dist/models';
-import { NextFunction, Request, Response } from 'express';
+import type { NextFunction, Request, Response } from 'express';
 
 import loggerFactory from '~/utils/logger';
 

apps/app/src/server/routes/apiv3/forgot-password.js

@@ -43,6 +43,14 @@ module.exports = (crowi) => {
           return (value === req.body.newPassword);
         }),
     ],
+    email: [
+      body('email')
+        .isEmail()
+        .escape()
+        .withMessage('message.Email format is invalid')
+        .notEmpty()
+        .withMessage('message.Email field is required'),
+    ],
   };
 
   const checkPassportStrategyMiddleware = checkForgotPasswordEnabledMiddlewareFactory(crowi, true);
@@ -61,7 +69,7 @@ module.exports = (crowi) => {
     });
   }
 
-  router.post('/', checkPassportStrategyMiddleware, addActivity, async(req, res) => {
+  router.post('/', checkPassportStrategyMiddleware, validator.email, apiV3FormValidator, addActivity, async(req, res) => {
     const { email } = req.body;
     const locale = configManager.getConfig('crowi', 'app:globalLang');
     const appUrl = appService.getSiteUrl();

apps/app/src/server/routes/forgot-password.ts

@@ -1,4 +1,4 @@
-import {
+import type {
   NextFunction, Request, Response,
 } from 'express';
 import createError from 'http-errors';
@@ -6,7 +6,7 @@ import createError from 'http-errors';
 import { forgotPasswordErrorCode } from '~/interfaces/errors/forgot-password';
 import loggerFactory from '~/utils/logger';
 
-import { IPasswordResetOrder } from '../models/password-reset-order';
+import type { IPasswordResetOrder } from '../models/password-reset-order';
 
 const logger = loggerFactory('growi:routes:forgot-password');