Fix password reset without a reseet token

pkg/user/error.go

@@ -157,6 +157,12 @@ func (err ErrNoPasswordResetToken) HTTPError() web.HTTPError {
 	return web.HTTPError{HTTPCode: http.StatusPreconditionFailed, Code: ErrCodeNoPasswordResetToken, Message: "No token to reset a user's password provided."}
 }
 
+// IsErrNoPasswordResetToken checks if an error is ErrNoPasswordResetToken
+func IsErrNoPasswordResetToken(err error) bool {
+	_, ok := err.(ErrNoPasswordResetToken)
+	return ok
+}
+
 // ErrInvalidPasswordResetToken is an error where the password reset token is invalid
 type ErrInvalidPasswordResetToken struct {
 	Token string

pkg/user/user_password_reset.go

@@ -39,6 +39,10 @@ func ResetPassword(s *xorm.Session, reset *PasswordReset) (err error) {
 		return ErrNoUsernamePassword{}
 	}
 
+	if reset.Token == "" {
+		return ErrNoPasswordResetToken{}
+	}
+
 	// Check if we have a token
 	var user User
 	exists, err := s.

pkg/user/user_test.go

@@ -410,12 +410,12 @@ func TestUserPasswordReset(t *testing.T) {
 		defer s.Close()
 
 		reset := &PasswordReset{
-			Token:       "somethingsomething",
+			Token:       "",
 			NewPassword: "12345",
 		}
 		err := ResetPassword(s, reset)
 		assert.Error(t, err)
-		assert.True(t, IsErrInvalidPasswordResetToken(err))
+		assert.True(t, IsErrNoPasswordResetToken(err))
 	})
 	t.Run("wrong token", func(t *testing.T) {
 		db.LoadAndAssertFixtures(t)