fix: Validate identifier payload for reset password

integration-tests/http/__tests__/auth/admin/auth.spec.ts

@@ -139,15 +139,23 @@ medusaIntegrationTestRunner({
  describe("Reset password flows", () => {
  it("should generate a reset password token", async () => {
  const response = await api.post("/auth/user/emailpass/reset-password", {
- email: "[email protected]",
+ identifier: "[email protected]",
  })
 
  expect(response.status).toEqual(201)
  })
 
+ it("should fail if identifier is not provided", async () => {
+ const errResponse = await api
+ .post("/auth/user/emailpass/reset-password", {})
+ .catch((e) => e)
+
+ expect(errResponse.response.status).toEqual(400)
+ })
+
  it("should fail to generate token for non-existing user, but still respond with 201", async () => {
  const response = await api.post("/auth/user/emailpass/reset-password", {
- email: "[email protected]",
+ identifier: "[email protected]",
  })
 
  expect(response.status).toEqual(201)
@@ -156,7 +164,7 @@ medusaIntegrationTestRunner({
  it("should fail to generate token for existing user but no provider, but still respond with 201", async () => {
  const response = await api.post(
  "/auth/user/non-existing-provider/reset-password",
- { email: "[email protected]" }
+ { identifier: "[email protected]" }
  )
 
  expect(response.status).toEqual(201)
@@ -165,7 +173,7 @@ medusaIntegrationTestRunner({
  it("should fail to generate token for existing user but no provider, but still respond with 201", async () => {
  const response = await api.post(
  "/auth/user/non-existing-provider/reset-password",
- { email: "[email protected]" }
+ { identifier: "[email protected]" }
  )
 
  expect(response.status).toEqual(201)

packages/medusa/src/api/auth/[actor_type]/[auth_provider]/reset-password/route.ts

@@ -4,13 +4,14 @@ import {
  AuthenticatedMedusaRequest,
  MedusaResponse,
 } from "../../../../../types/routing"
+import { ResetPasswordRequestType } from "../../../validators"
 
 export const POST = async (
- req: AuthenticatedMedusaRequest,
+ req: AuthenticatedMedusaRequest<ResetPasswordRequestType>,
  res: MedusaResponse
 ) => {
  const { auth_provider, actor_type } = req.params
- const { identifier } = req.body
+ const { identifier } = req.validatedBody
 
  const { http } = req.scope.resolve(
  ContainerRegistrationKeys.CONFIG_MODULE

packages/medusa/src/api/auth/middlewares.ts

@@ -1,6 +1,8 @@
 import { authenticate, MiddlewareRoute } from "@medusajs/framework/http"
+import { validateAndTransformBody } from "../utils/validate-body"
 import { validateScopeProviderAssociation } from "./utils/validate-scope-provider-association"
 import { validateToken } from "./utils/validate-token"
+import { ResetPasswordRequest } from "./validators"
 
 export const authRoutesMiddlewares: MiddlewareRoute[] = [
  {
@@ -41,7 +43,10 @@ export const authRoutesMiddlewares: MiddlewareRoute[] = [
  {
  method: ["POST"],
  matcher: "/auth/:actor_type/:auth_provider/reset-password",
- middlewares: [validateScopeProviderAssociation()],
+ middlewares: [
+ validateScopeProviderAssociation(),
+ validateAndTransformBody(ResetPasswordRequest),
+ ],
  },
  {
  method: ["POST"],

packages/medusa/src/api/auth/validators.ts

@@ -0,0 +1,6 @@
+import { z } from "zod"
+
+export const ResetPasswordRequest = z.object({
+ identifier: z.string(),
+})
+export type ResetPasswordRequestType = z.infer<typeof ResetPasswordRequest>