From 516c82463f8419914624c11d2787686993a83b77 Mon Sep 17 00:00:00 2001
From: Oli Juhl <59018053+olivermrbl@users.noreply.github.com>
Date: Tue, 1 Oct 2024 15:30:23 +0200
Subject: [PATCH] fix: Validate `identifier` payload for reset password (#9302)

Closes CC-526
---
 .../http/__tests__/auth/admin/auth.spec.ts       | 16 ++++++++++++----
 .../[auth_provider]/reset-password/route.ts      |  5 +++--
 packages/medusa/src/api/auth/middlewares.ts      |  7 ++++++-
 packages/medusa/src/api/auth/validators.ts       |  6 ++++++
 4 files changed, 27 insertions(+), 7 deletions(-)
 create mode 100644 packages/medusa/src/api/auth/validators.ts

diff --git a/integration-tests/http/__tests__/auth/admin/auth.spec.ts b/integration-tests/http/__tests__/auth/admin/auth.spec.ts
index 641cd124b26b8..f54787cbdf8c2 100644
--- a/integration-tests/http/__tests__/auth/admin/auth.spec.ts
+++ b/integration-tests/http/__tests__/auth/admin/auth.spec.ts
@@ -139,15 +139,23 @@ medusaIntegrationTestRunner({
     describe("Reset password flows", () => {
       it("should generate a reset password token", async () => {
         const response = await api.post("/auth/user/emailpass/reset-password", {
-          email: "admin@medusa.js",
+          identifier: "admin@medusa.js",
         })
 
         expect(response.status).toEqual(201)
       })
 
+      it("should fail if identifier is not provided", async () => {
+        const errResponse = await api
+          .post("/auth/user/emailpass/reset-password", {})
+          .catch((e) => e)
+
+        expect(errResponse.response.status).toEqual(400)
+      })
+
       it("should fail to generate token for non-existing user, but still respond with 201", async () => {
         const response = await api.post("/auth/user/emailpass/reset-password", {
-          email: "non-existing-user@medusa.js",
+          identifier: "non-existing-user@medusa.js",
         })
 
         expect(response.status).toEqual(201)
@@ -156,7 +164,7 @@ medusaIntegrationTestRunner({
       it("should fail to generate token for existing user but no provider, but still respond with 201", async () => {
         const response = await api.post(
           "/auth/user/non-existing-provider/reset-password",
-          { email: "admin@medusa.js" }
+          { identifier: "admin@medusa.js" }
         )
 
         expect(response.status).toEqual(201)
@@ -165,7 +173,7 @@ medusaIntegrationTestRunner({
       it("should fail to generate token for existing user but no provider, but still respond with 201", async () => {
         const response = await api.post(
           "/auth/user/non-existing-provider/reset-password",
-          { email: "admin@medusa.js" }
+          { identifier: "admin@medusa.js" }
         )
 
         expect(response.status).toEqual(201)
diff --git a/packages/medusa/src/api/auth/[actor_type]/[auth_provider]/reset-password/route.ts b/packages/medusa/src/api/auth/[actor_type]/[auth_provider]/reset-password/route.ts
index a97234c58b0d7..dfa373ffa2b15 100644
--- a/packages/medusa/src/api/auth/[actor_type]/[auth_provider]/reset-password/route.ts
+++ b/packages/medusa/src/api/auth/[actor_type]/[auth_provider]/reset-password/route.ts
@@ -4,13 +4,14 @@ import {
   AuthenticatedMedusaRequest,
   MedusaResponse,
 } from "../../../../../types/routing"
+import { ResetPasswordRequestType } from "../../../validators"
 
 export const POST = async (
-  req: AuthenticatedMedusaRequest,
+  req: AuthenticatedMedusaRequest<ResetPasswordRequestType>,
   res: MedusaResponse
 ) => {
   const { auth_provider, actor_type } = req.params
-  const { identifier } = req.body
+  const { identifier } = req.validatedBody
 
   const { http } = req.scope.resolve(
     ContainerRegistrationKeys.CONFIG_MODULE
diff --git a/packages/medusa/src/api/auth/middlewares.ts b/packages/medusa/src/api/auth/middlewares.ts
index dd16f4fdebee3..cb6b46fec0c2e 100644
--- a/packages/medusa/src/api/auth/middlewares.ts
+++ b/packages/medusa/src/api/auth/middlewares.ts
@@ -1,6 +1,8 @@
 import { authenticate, MiddlewareRoute } from "@medusajs/framework/http"
+import { validateAndTransformBody } from "../utils/validate-body"
 import { validateScopeProviderAssociation } from "./utils/validate-scope-provider-association"
 import { validateToken } from "./utils/validate-token"
+import { ResetPasswordRequest } from "./validators"
 
 export const authRoutesMiddlewares: MiddlewareRoute[] = [
   {
@@ -41,7 +43,10 @@ export const authRoutesMiddlewares: MiddlewareRoute[] = [
   {
     method: ["POST"],
     matcher: "/auth/:actor_type/:auth_provider/reset-password",
-    middlewares: [validateScopeProviderAssociation()],
+    middlewares: [
+      validateScopeProviderAssociation(),
+      validateAndTransformBody(ResetPasswordRequest),
+    ],
   },
   {
     method: ["POST"],
diff --git a/packages/medusa/src/api/auth/validators.ts b/packages/medusa/src/api/auth/validators.ts
new file mode 100644
index 0000000000000..bd4a124e2a175
--- /dev/null
+++ b/packages/medusa/src/api/auth/validators.ts
@@ -0,0 +1,6 @@
+import { z } from "zod"
+
+export const ResetPasswordRequest = z.object({
+  identifier: z.string(),
+})
+export type ResetPasswordRequestType = z.infer<typeof ResetPasswordRequest>