Strip resetToken and resetTokenExpiresAt from dbAuth forgotPassword handler (#6778)

* Clear reset token with built-in function

* Remove any resetToken or resetTokenExpiresAt from forgotPassword handler response

* Updates test for forgotPassword return data

Author: cannikin

packages/api/src/functions/dbAuth/DbAuthHandler.ts

@@ -507,8 +507,18 @@ export class DbAuthHandler<TUser extends Record<string | number, any>> {
         this.options.forgotPassword as ForgotPasswordFlowOptions
       ).handler(this._sanitizeUser(user))
 
+      // remove resetToken and resetTokenExpiresAt if in the body of the
+      // forgotPassword handler response
+      let responseObj = response
+      if (typeof response === 'object') {
+        responseObj = Object.assign(response, {
+          [this.options.authFields.resetToken]: undefined,
+          [this.options.authFields.resetTokenExpiresAt]: undefined,
+        })
+      }
+
       return [
-        response ? JSON.stringify(response) : '',
+        response ? JSON.stringify(responseObj) : '',
         {
           ...this._deleteSessionHeader,
         },
@@ -613,14 +623,14 @@ export class DbAuthHandler<TUser extends Record<string | number, any>> {
         },
         data: {
           [this.options.authFields.hashedPassword]: hashedPassword,
-          [this.options.authFields.resetToken]: null,
-          [this.options.authFields.resetTokenExpiresAt]: null,
         },
       })
     } catch (e) {
       throw new DbAuthError.GenericError()
     }
 
+    await this._clearResetToken(user)
+
     // call the user-defined handler so they can decide what to do with this user
     const response = await (
       this.options.resetPassword as ResetPasswordFlowOptions

packages/api/src/functions/dbAuth/__tests__/DbAuthHandler.test.js

@@ -762,15 +762,16 @@ describe('dbAuth', () => {
       // base64 characters only, except =
       expect(resetUser.resetToken).toMatch(/^\w{16}$/)
       expect(resetUser.resetTokenExpiresAt instanceof Date).toEqual(true)
-      // response contains the user data, minus `hashedPassword` and `salt`
+
+      // response contains data returned from the handler
       expect(responseBody.id).toEqual(resetUser.id)
       expect(responseBody.email).toEqual(resetUser.email)
-      expect(responseBody.resetToken).toEqual(resetUser.resetToken)
-      expect(responseBody.resetTokenExpiresAt).toEqual(
-        resetUser.resetTokenExpiresAt.toISOString()
-      )
-      expect(responseBody.hashedPassword).toEqual(undefined)
-      expect(responseBody.salt).toEqual(undefined)
+
+      // response data should not include sensitive info
+      expect(responseBody.resetToken).toBeUndefined()
+      expect(responseBody.resetTokenExpiresAt).toBeUndefined()
+      expect(responseBody.hashedPassword).toBeUndefined()
+      expect(responseBody.salt).toBeUndefined()
     })
 
     it('returns a logout session cookie', async () => {
@@ -797,6 +798,22 @@ describe('dbAuth', () => {
       expect.assertions(1)
     })
 
+    it('removes the token from the forgotPassword response', async () => {
+      const user = await createDbUser()
+      event.body = JSON.stringify({
+        username: user.email,
+      })
+      options.forgotPassword.handler = (handlerUser) => {
+        return handlerUser
+      }
+      const dbAuth = new DbAuthHandler(event, context, options)
+      const response = await dbAuth.forgotPassword()
+      const jsonResponse = JSON.parse(response[0])
+
+      expect(jsonResponse.resetToken).toBeUndefined()
+      expect(jsonResponse.resetTokenExpiresAt).toBeUndefined()
+    })
+
     it('throws a generic error for an invalid client', async () => {
       const user = await createDbUser()
       event.body = JSON.stringify({