I have a simple functionality of forget password, that when user requests for change in password he recieves an email with token and his email on clicking of it he will be redirected to a page which will take his new passwords.
What I do is when I click on a link in the email , server gets the request and a function take data out of the link renders the page with data (using res.render) and then it should redirect to the rendered page.
The problem I am facing is when I click on link I am getting data and page rendered but I can't let res.redirect() to work.
my link looks like this
http://localhost:3000/api/resetpassword?_csrf=ab8aa6a41567f817330e3e0a214725f8b2f88b487d5bef16f162e033c6a63dc41933511ddb79cb44ca049f472b3e0c593dbbaf&email=dummyEmail%2540dumyurl.ca
And then I get the request on server using app.get().
app.get('/api/resetpassword', Admin.resetPasswordPage);
and my rendering and redirecting function looks like this;
resetPasswordPage: function (req, res, next) {
req.query.email = decodeURIComponent(req.query.email) ;
res.render('resetPassword', {
Email: req.query.email,
Csrf : req.query._csrf,
}, function (err, html) {
console.log("TESTING HTML ", html);
if (!err)
res.redirect("/resetPassword");
});
}
Rendering is successful as I am getting complete HTML of the page in the html parameter, but the question is how to redirect to that page. That page is made in EJS and its in views folder.
It sounds like you want this flow:
/api/resetpassword...
resetPasswordPage
function resetPasswordPage
responds with the reset password form HTML page, pre-filled out based on the query parameters /resetPassword
, you'll lose them. So you either have to live with the URL (which I would recommend as it's the simplest) or rely on session state and the session cookie. However, marking the session with something like passwordResetOK=true
probably exposes you to a whole bunch of CSRF attacks that the _csrf
query string parameter is there to prevent. <form method="post" action="/resetPassword">
POST /resetPassword
So long story short is I think you just need to accept the URL being what it is and you don't need a redirect in here until after the password reset operation completes.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.