Database does not update user password reset

Question

I'm creating a password reset functionality and my database doesn't seem to update the users password, when submitting the new password form I get a 404.

Here is my post route for the form

// Token URL :post
router.post('/users/reset/:token', (req, res, next) => {
  if(req.body.password === req.body['password-confirm']) {
    next();
    return;
  }

  req.flash('error', 'Passwords do not match!');
  res.redirect('back');

  User.findOne({
    resetPasswordToken: req.params.token,
    resetPasswordExpires: { $gt: Date.now() }
  }, function(err, user) {
    if(!user) {
      req.flash('error', ' Password reset is invalid or has expired');
      res.redirect(302, '/login');
    }

    const setPassword = promisify(user.setPassword, user);
    setPassword(req.body.password);
    user.resetPasswordToken = undefined;
    user.resetPasswordExpires = undefined;
    const updatedUser = user.save();
    req.login(updatedUser);
    req.flash('success_msg', 'Your password has been reset successfully! You are now logged in!');
    res.redirect('/dashboard');
  });
});

and here are the logs with mongodb debug on

Thu Jan 25 2018 20:06:23 GMT+0000 (GMT): GET /users/forgot
Thu Jan 25 2018 20:06:24 GMT+0000 (GMT): GET /favicon.ico
Thu Jan 25 2018 20:06:26 GMT+0000 (GMT): POST /users/forgot
Mongoose: users.findOne({ email: 'ben@benbagley.co.uk' }, { fields: {} })
{ email: 'user@website.co.uk' }
Mongoose: users.update({ _id: ObjectId("5a5c6740b9e210087e098fd6") }, { '$set': { resetPasswordExpires: new Date("Thu, 25 Jan 2018 21:06:26 GMT"), resetPasswordToken: '566c509df009f6f43c3d2b5f324764173bd2d251' } })
Message sent: <ceef6d47-4d91-0a3c-a4e1-1a8f090365e1@website.co.uk>

Preview URL: https://ethereal.email/message/WlVWjq0qIgpSmhJbWmo4xEK5Zwpruz6bAAAAp8kW.z.4aFEFOL5zp93OWds
Thu Jan 25 2018 20:06:28 GMT+0000 (GMT): GET /users/login
Thu Jan 25 2018 20:06:29 GMT+0000 (GMT): GET /favicon.ico
Thu Jan 25 2018 20:06:45 GMT+0000 (GMT): GET /users/reset/566c509df009f6f43c3d2b5f324764173bd2d251
Mongoose: users.findOne({ resetPasswordExpires: { '$gt': new Date("Thu, 25 Jan 2018 20:06:45 GMT") }, resetPasswordToken: '566c509df009f6f43c3d2b5f324764173bd2d251' }, { fields: {} })
Thu Jan 25 2018 20:06:45 GMT+0000 (GMT): GET /favicon.ico
Thu Jan 25 2018 20:06:53 GMT+0000 (GMT): POST /users/reset/566c509df009f6f43c3d2b5f324764173bd2d251
Thu Jan 25 2018 20:06:53 GMT+0000 (GMT): GET /favicon.ico

When I click on the generated link in the email, it goes to the password reset, no issues there. It's just the form that doesn't submit.

Here is a gif of the issue

Answer 1

Try this:

router.post('/users/reset/:token', (req, res, next) => {

  // if passwords don't match, flash error and send back to form
  if (req.body.password != req.body['password-confirm']) {
    req.flash('error', 'Passwords do not match!');
    res.redirect('/users/change-password');  // insert actual form URL
    return; // we're done handling the route, exit function
  }

  // if we get to here, the passwords match
  User.findOne({
    resetPasswordToken: req.params.token,
    resetPasswordExpires: {
      $gt: Date.now()
    }
  }, function(err, user) {
    if (!user) {
      req.flash('error', ' Password reset is invalid or has expired');
      res.redirect(302, '/login');
    }

    const setPassword = promisify(user.setPassword, user);
    setPassword(req.body.password);
    user.resetPasswordToken = undefined;
    user.resetPasswordExpires = undefined;
    const updatedUser = user.save();
    req.login(updatedUser);
    req.flash('success_msg', 'Your password has been reset successfully! You are now logged in!');
    res.redirect('/dashboard');
  });
});