Merge pull request #4125 from weseek/imprv/gw-7060-into-topic-brunch

Imprv/gw 7060 into topic brunch

src/server/middlewares/password-reset.js

@@ -1,6 +1,8 @@
 module.exports = (crowi, app) => {
   const PasswordResetOrder = crowi.model('PasswordResetOrder');
 
+  // need refuctoring with http-error by GW-7091
+
   return async(req, res, next) => {
     const { token } = req.params;
 

src/server/routes/apiv3/forgot-password.js

@@ -49,6 +49,13 @@ module.exports = (crowi) => {
     const appUrl = appService.getSiteUrl();
 
     try {
+      const user = await User.findOne({ email });
+
+      // when the user is not found or active
+      if (user == null || user.status !== 2) {
+        return res.apiv3Err('User not found or active');
+      }
+
       const passwordResetOrderData = await PasswordResetOrder.createPasswordResetOrder(email);
       const url = new URL(`/forgot-password/${passwordResetOrderData.token}`, appUrl);
       const oneTimeUrl = url.href;
@@ -70,6 +77,11 @@ module.exports = (crowi) => {
 
     const user = await User.findOne({ email });
 
+    // when the user is not found or active
+    if (user == null || user.status !== 2) {
+      return res.apiv3Err('update-password-failed');
+    }
+
     try {
       const userData = await user.updatePassword(newPassword);
       const serializedUserData = serializeUserSecurely(userData);