From 9343806cd7895d8ebdfed8334887065d1072fe46 Mon Sep 17 00:00:00 2001
From: Valerio Santinelli <santinelli@altralogica.it>
Date: Wed, 15 Jul 2015 12:28:13 +0200
Subject: [PATCH 1/2] Fixed password reset. The check on the expiration date
 was incorrect.

---
 server/boot/user.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/boot/user.js b/server/boot/user.js
index d2d9a0936b..37bf4486fd 100644
--- a/server/boot/user.js
+++ b/server/boot/user.js
@@ -425,7 +425,7 @@ module.exports = function(app) {
       {
         where: {
           resetPasswordToken: req.params.token,
-          resetPasswordExpires: Date.now()
+          resetPasswordExpires: { gte: Date.now() }
         }
       },
       function(err, user) {
@@ -462,7 +462,7 @@ module.exports = function(app) {
           {
             where: {
               resetPasswordToken: req.params.token,
-              resetPasswordExpires: Date.now()
+              resetPasswordExpires: { gte: Date.now() }
             }
           },
           function(err, user) {

From d80fe7ff43328653a77274e3aef0adccbeaf245b Mon Sep 17 00:00:00 2001
From: Valerio Santinelli <santinelli@altralogica.it>
Date: Wed, 15 Jul 2015 12:41:09 +0200
Subject: [PATCH 2/2] Fixes URL validation using the standard validator
 package.

---
 server/boot/story.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/boot/story.js b/server/boot/story.js
index d693b7f48d..ef9f10a509 100755
--- a/server/boot/story.js
+++ b/server/boot/story.js
@@ -10,6 +10,7 @@ var Rx = require('rx'),
     saveUser = require('../utils/rx').saveUser,
     saveInstance = require('../utils/rx').saveInstance,
     MongoClient = mongodb.MongoClient,
+    validator = require('validator'),
     secrets = require('../../config/secrets');
 
 var foundationDate = 1413298800000;
@@ -303,9 +304,8 @@ module.exports = function(app) {
       return next(new Error('Must be logged in'));
     }
     var url = req.body.data.url;
-    var cleanURL = cleanData(url);
 
-    if (cleanURL !== url) {
+    if (!validator.isURL(url)) {
       req.flash('errors', {
         msg: "The URL you submitted doesn't appear valid"
       });