Skip to content

Commit 72035d7

Browse files
mtrezzamtrezza
committed
fix: Normalize timing for passwordless accounts, strengthen test assertions
1 parent 06cfc04 commit 72035d7

File tree

2 files changed

+14
-15
lines changed

2 files changed

+14
-15
lines changed

spec/ParseUser.spec.js

Lines changed: 11 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -88,24 +88,21 @@ describe('Parse.User testing', () => {
8888
await Parse.User.signUp('existinguser', 'password123');
8989
compareSpy.calls.reset();
9090

91-
// Login with non-existent user
92-
try {
93-
await Parse.User.logIn('nonexistentuser', 'wrongpassword');
94-
} catch (e) {
95-
expect(e.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
96-
}
97-
// bcrypt.compare should have been called even for non-existent user
91+
// Login with non-existent user — should use dummy hash
92+
await expectAsync(
93+
Parse.User.logIn('nonexistentuser', 'wrongpassword')
94+
).toBeRejected();
9895
expect(compareSpy).toHaveBeenCalledTimes(1);
96+
expect(compareSpy).toHaveBeenCalledWith('wrongpassword', passwordCrypto.dummyHash);
9997
compareSpy.calls.reset();
10098

101-
// Login with existing user but wrong password
102-
try {
103-
await Parse.User.logIn('existinguser', 'wrongpassword');
104-
} catch (e) {
105-
expect(e.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
106-
}
107-
// bcrypt.compare should have been called for existing user
99+
// Login with existing user but wrong password — should use real hash
100+
await expectAsync(
101+
Parse.User.logIn('existinguser', 'wrongpassword')
102+
).toBeRejected();
108103
expect(compareSpy).toHaveBeenCalledTimes(1);
104+
expect(compareSpy.calls.mostRecent().args[0]).toBe('wrongpassword');
105+
expect(compareSpy.calls.mostRecent().args[1]).not.toBe(passwordCrypto.dummyHash);
109106
});
110107

111108
it('logs username taken with configured log level', async () => {

src/Routers/UsersRouter.js

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -127,7 +127,9 @@ export class UsersRouter extends ClassesRouter {
127127
user = results[0];
128128
}
129129

130-
return passwordCrypto.compare(password, user.password);
130+
const hashedPassword =
131+
typeof user.password === 'string' ? user.password : passwordCrypto.dummyHash;
132+
return passwordCrypto.compare(password, hashedPassword);
131133
})
132134
.then(correct => {
133135
isValidPassword = correct;

0 commit comments

Comments
 (0)