improved http-errors

src/server/middlewares/password-reset.js

@@ -7,17 +7,15 @@ module.exports = (crowi, app) => {
 
   return async(req, res, next) => {
     const { token } = req.params;
-
     // if (token == null) {
     //   return res.redirect('/login');
     // }
 
     if (token == null) {
-      return next(createError(401, 'Token not found'));
+      return next(createError(400, 'Token not found'));
     }
 
     const passwordResetOrder = await PasswordResetOrder.findOne({ token });
-    // check the oneTimeToken is valid
     // console.log('passwordResetOrder.isRevoked1', passwordResetOrder.isRevoked);
 
     // if (passwordResetOrder == null || passwordResetOrder.isExpired() || passwordResetOrder.isRevoked) {
@@ -25,8 +23,9 @@ module.exports = (crowi, app) => {
     //   return res.redirect('/forgot-password/error/password-reset-order');
     // }
 
+    // check the oneTimeToken is valid
     if (passwordResetOrder == null || passwordResetOrder.isExpired() || passwordResetOrder.isRevoked) {
-      return next(createError(401, 'passwordResetOrder is null or expired or revoked'));
+      return next(createError(400, 'passwordResetOrder is null or expired or revoked'));
     }
 
     req.DataFromPasswordResetOrderMiddleware = passwordResetOrder;

src/server/routes/apiv3/forgot-password.js

@@ -84,7 +84,7 @@ module.exports = (crowi) => {
     try {
       const userData = await user.updatePassword(newPassword);
       const serializedUserData = serializeUserSecurely(userData);
-      passwordResetOrder.isRevoked = true;
+      passwordResetOrder.revokeOneTimeToken();
       return res.apiv3({ userData: serializedUserData });
     }
     catch (err) {