From bef4fde453fbabb7abc41a34f4255a0801013cc9 Mon Sep 17 00:00:00 2001
From: Tomas Van Morlegan <tomivm98@gmail.com>
Date: Wed, 14 Apr 2021 20:53:21 -0300
Subject: [PATCH] fix field name of reset password token, add verifier and set
 status

---
 api/controllers/user.js | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/api/controllers/user.js b/api/controllers/user.js
index b8647b62..b6b22ba1 100644
--- a/api/controllers/user.js
+++ b/api/controllers/user.js
@@ -419,7 +419,7 @@ async function forgotPassword(req, res) {
             const response = {
               success: 1,
               userid: user.id,
-              url: token,
+              //url: token,
               message: 'Success! Check your mail to reset your password.'
             };
             return res.status(200).json(response);
@@ -436,7 +436,6 @@ async function forgotPassword(req, res) {
 }
 async function storePassword(req, res) {
   const { userid, password, token } = req.body;
-
   try {
     const resetPassword = await ResetPassword.findOne({
       userId: userid,
@@ -448,10 +447,16 @@ async function storePassword(req, res) {
         error: err.message
       });
     }
-    // the token and the hashed token in the db are verified befor updating the password
-    bcrypt.compare(token, resetPassword.token, function(errBcrypt, resBcrypt) {
-      let expireTime = moment.utc(resetPassword.expire);
+    // the token and the hashed token in the db are verified before updating the password
+    bcrypt.compare(token, resetPassword.resetPasswordToken, function(errBcrypt, resBcrypt) {
+      let expireTime = moment.utc(resetPassword.expire); // expireTime and currentTime is never used
       let currentTime = new Date();
+      if(!resBcrypt){
+        return res.status(500).json({
+          message: 'Error resetting user password.',
+          error: 'invalid Token'
+        });
+      }
       //hashing the password to store in the db node.js
       bcrypt.genSalt(8, function(err, salt) {
         bcrypt.hash(password, salt, async function(err, hash) {
@@ -464,8 +469,8 @@ async function storePassword(req, res) {
               message: 'No user found with that ID.'
             });
           }
-          ResetPassword.findOneAndUpdate(
-            { id: resetPassword.id },
+          ResetPassword.findByIdAndUpdate(
+            resetPassword._id,
             { status: true },
             function(err) {
               if (err) {