From 8895f12aff16cb9d073dab0e2049e61316dc9911 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Moratinos?=
 <codecombat@sebastien-moratinos.com>
Date: Mon, 3 Feb 2014 00:01:40 +0100
Subject: [PATCH 1/2] Fix error 500 when resetting password if bad input.

---
 server/routes/auth.coffee | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/routes/auth.coffee b/server/routes/auth.coffee
index 84a885540..169e18a6d 100644
--- a/server/routes/auth.coffee
+++ b/server/routes/auth.coffee
@@ -56,7 +56,7 @@ module.exports.setupRoutes = (app) ->
 
   app.post('/auth/reset', (req, res) ->
     unless req.body.email
-      return errors.badInput(res, [{message:'Need an email specified.', property:email}])
+      return errors.badInput(res, [{message:'Need an email specified.', property:'email'}])
 
     User.findOne({emailLower:req.body.email.toLowerCase()}).exec((err, user) ->
       if not user

From f27db349761e80c7fbe7b3872622568454c03fae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Moratinos?=
 <codecombat@sebastien-moratinos.com>
Date: Mon, 3 Feb 2014 00:02:47 +0100
Subject: [PATCH 2/2] add server auth test (reset password)

---
 server/routes/auth.coffee    |  2 +-
 test/server/auth.spec.coffee | 80 ++++++++++++++++++++++++++++++++----
 2 files changed, 74 insertions(+), 8 deletions(-)

diff --git a/server/routes/auth.coffee b/server/routes/auth.coffee
index 169e18a6d..0ab5476d4 100644
--- a/server/routes/auth.coffee
+++ b/server/routes/auth.coffee
@@ -74,7 +74,7 @@ module.exports.setupRoutes = (app) ->
             else
               return res.end()
         else
-          console.log 'new password is', user.get('passwordReset')
+          res.send user.get('passwordReset')
           return res.end()
     )
   )
diff --git a/test/server/auth.spec.coffee b/test/server/auth.spec.coffee
index 3a34d9b7c..c92a83d8c 100644
--- a/test/server/auth.spec.coffee
+++ b/test/server/auth.spec.coffee
@@ -1,4 +1,8 @@
 require './common'
+request = require 'request'
+
+urlLogin = getURL('/auth/login')
+urlReset = getURL('/auth/reset')
 
 describe '/auth/whoami', ->
   http = require 'http'
@@ -10,8 +14,6 @@ describe '/auth/whoami', ->
     )
 
 describe '/auth/login', ->
-  url = getURL('/auth/login')
-  request = require 'request'
 
   it 'clears Users first', (done) ->
     User.remove {}, (err) ->
@@ -19,7 +21,7 @@ describe '/auth/login', ->
       done()
 
   it 'finds no user', (done) ->
-    req = request.post(url, (error, response) ->
+    req = request.post(urlLogin, (error, response) ->
       expect(response).toBeDefined()
       expect(response.statusCode).toBe(401)
       done()
@@ -40,7 +42,7 @@ describe '/auth/login', ->
     form.append('password', 'nada')
 
   it 'finds that created user', (done) ->
-    req = request.post(url, (error, response) ->
+    req = request.post(urlLogin, (error, response) ->
       expect(response).toBeDefined()
       expect(response.statusCode).toBe(200)
       done()
@@ -50,7 +52,7 @@ describe '/auth/login', ->
     form.append('password', 'nada')
 
   it 'rejects wrong passwords', (done) ->
-    req = request.post(url, (error, response) ->
+    req = request.post(urlLogin, (error, response) ->
       expect(response.statusCode).toBe(401)
       expect(response.body.indexOf("wrong, wrong")).toBeGreaterThan(-1)
       done()
@@ -60,10 +62,74 @@ describe '/auth/login', ->
     form.append('password', 'blahblah')
 
   it 'is completely case insensitive', (done) ->
-    req = request.post(url, (error, response) ->
+    req = request.post(urlLogin, (error, response) ->
       expect(response.statusCode).toBe(200)
       done()
     )
     form = req.form()
     form.append('username', 'scoTT@gmaIL.com')
-    form.append('password', 'NaDa')
\ No newline at end of file
+    form.append('password', 'NaDa')
+
+
+describe '/auth/reset', ->
+  passwordReset = ''
+
+  it 'emails require', (done) ->
+    req = request.post(urlReset, (error, response) ->
+      expect(response).toBeDefined()
+      expect(response.statusCode).toBe(422)
+      done()
+    )
+    form = req.form()
+    form.append('username', 'scott@gmail.com')
+
+  it 'can\'t reset an unknow user', (done) ->
+    req = request.post(urlReset, (error, response) ->
+      expect(response).toBeDefined()
+      expect(response.statusCode).toBe(404)
+      done()
+    )
+    form = req.form()
+    form.append('email', 'unknow')
+
+  it 'reset user password', (done) ->
+    req = request.post(urlReset, (error, response) ->
+      expect(response).toBeDefined()
+      expect(response.statusCode).toBe(200)
+      expect(response.body).toBeDefined()
+      passwordReset = response.body
+      done()
+    )
+    form = req.form()
+    form.append('email', 'scott@gmail.com')
+
+  it 'can login after resetting', (done) ->
+    req = request.post(urlLogin, (error, response) ->
+      expect(response).toBeDefined()
+      expect(response.statusCode).toBe(200)
+      done()
+    )
+    form = req.form()
+    form.append('username', 'scott@gmail.com')
+    form.append('password', passwordReset)
+
+  it 'resetting password is not permanent', (done) ->
+    req = request.post(urlLogin, (error, response) ->
+      expect(response).toBeDefined()
+      expect(response.statusCode).toBe(401)
+      done()
+    )
+    form = req.form()
+    form.append('username', 'scott@gmail.com')
+    form.append('password', passwordReset)
+
+
+  it 'can still login with old password', (done) ->
+    req = request.post(urlLogin, (error, response) ->
+      expect(response).toBeDefined()
+      expect(response.statusCode).toBe(200)
+      done()
+    )
+    form = req.form()
+    form.append('username', 'scott@gmail.com')
+    form.append('password', 'nada')