From 03e6e475bcfc8ebe3620a9f001dbae42f22aed8c Mon Sep 17 00:00:00 2001
From: Elanum <mail@elanum.de>
Date: Thu, 17 Dec 2020 19:06:06 +0100
Subject: [PATCH] fix(server): fix reset password route

---
 server/src/routes/auth.js | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/server/src/routes/auth.js b/server/src/routes/auth.js
index aa39558..a6d0e09 100644
--- a/server/src/routes/auth.js
+++ b/server/src/routes/auth.js
@@ -18,7 +18,7 @@ router
 
     const correctPassword = bcrypt.compare(password, user.password);
 
-    if (!correctPassword) return res.status(400).json({ message: 'Password is incorrect' });
+    if (!correctPassword) { return res.status(400).json({ message: 'Password is incorrect' }); }
 
     const token = jwt.sign({ id: user._id, username: user.password }, secret, {
       expiresIn,
@@ -39,7 +39,7 @@ router
     } catch (error) {
       return res.status(400).json({ message: error.message });
     }
-
+    delete user._doc.password;
     return res.status(201).json(user);
   })
   .all((_req, res) => res.status(405).json({ message: 'Method Not Allowed' }));
@@ -51,15 +51,17 @@ router
     async (req, res) => {
       const { username, oldPassword, newPassword } = req.body;
 
-      if (!username) return res.status(400).json({ message: 'Username is missing' });
-      if (!oldPassword) return res.status(400).json({ message: 'Old Password is missing' });
-      if (!newPassword) return res.status(400).json({ message: 'New Password is missing' });
+      if (!username) { return res.status(400).json({ message: 'Username is missing' }); }
+      if (!oldPassword) { return res.status(400).json({ message: 'Old Password is missing' }); }
+      if (!newPassword) { return res.status(400).json({ message: 'New Password is missing' }); }
 
       const user = await User.findOne({ username }).select('+password');
+
       if (!user) return res.status(404).json({ message: 'User not found' });
+      const passwordMatch = await bcrypt.compare(oldPassword, user.password);
+
+      if (!passwordMatch) { return res.status(400).json({ message: 'Old password incorrect' }); }
 
-      const passwordMatch = bcrypt.compare(oldPassword, user.password);
-      if (!passwordMatch) return res.status(400).json({ message: 'Old password incorrect' });
       user.password = newPassword;
       try {
         await user.save();
@@ -72,4 +74,4 @@ router
   )
   .all((_req, res) => res.status(405).json({ message: 'Method Not Allowed' }));
 
-export default router;
+module.exports = router;