res.redirect not working after the page is rendered with data

Question

I have a simple functionality of forget password, that when user requests for change in password he recieves an email with token and his email on clicking of it he will be redirected to a page which will take his new passwords.

What I do is when I click on a link in the email , server gets the request and a function take data out of the link renders the page with data (using res.render) and then it should redirect to the rendered page.

The problem I am facing is when I click on link I am getting data and page rendered but I can't let res.redirect() to work.

my link looks like this

http://localhost:3000/api/resetpassword?_csrf=ab8aa6a41567f817330e3e0a214725f8b2f88b487d5bef16f162e033c6a63dc41933511ddb79cb44ca049f472b3e0c593dbbaf&email=dummyEmail%2540dumyurl.ca

And then I get the request on server using app.get().

app.get('/api/resetpassword', Admin.resetPasswordPage);

and my rendering and redirecting function looks like this;

resetPasswordPage: function (req, res, next) {
    req.query.email = decodeURIComponent(req.query.email) ;
    res.render('resetPassword', {
        Email: req.query.email,
        Csrf : req.query._csrf,

    }, function (err, html) {
        console.log("TESTING HTML ", html);
        if (!err)
        res.redirect("/resetPassword");
    });
}

Rendering is successful as I am getting complete HTML of the page in the html parameter, but the question is how to redirect to that page. That page is made in EJS and its in views folder.

Answer 1

It sounds like you want this flow:

1. User clicks link to /api/resetpassword...
2. express runs the resetPasswordPage function
3. resetPasswordPage responds with the reset password form HTML page, pre-filled out based on the query parameters
4. I think at this point you don't like the URL in the browser address bar, which is why you think you need a redirect. But you need those query string parameters, and if you do a redirect to just /resetPassword , you'll lose them. So you either have to live with the URL (which I would recommend as it's the simplest) or rely on session state and the session cookie. However, marking the session with something like passwordResetOK=true probably exposes you to a whole bunch of CSRF attacks that the _csrf query string parameter is there to prevent.
5. You don't need any redirect here, the browser has the form. Next step is for the user to fill out the form and submit it with <form method="post" action="/resetPassword">
6. Browser does POST /resetPassword
7. express routes that to another function that changes the password and then either sends back a success page or redirects to the home page or whatever

So long story short is I think you just need to accept the URL being what it is and you don't need a redirect in here until after the password reset operation completes.