From 2838ea5e8702901d2e2a24adadaf53df74ba9939 Mon Sep 17 00:00:00 2001 From: Taha Yassine Kraiem Date: Tue, 28 Sep 2021 15:31:51 +0200 Subject: [PATCH] feat(api): reset password reuse the same token for 5min to bypass double request issue --- api/chalicelib/blueprints/bp_core_dynamic.py | 6 +++++- api/chalicelib/core/users.py | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/api/chalicelib/blueprints/bp_core_dynamic.py b/api/chalicelib/blueprints/bp_core_dynamic.py index af674f762..b695ab54a 100644 --- a/api/chalicelib/blueprints/bp_core_dynamic.py +++ b/api/chalicelib/blueprints/bp_core_dynamic.py @@ -360,7 +360,11 @@ def process_invitation_link(): return {"errors": ["invitation not found"]} if user["expiredInvitation"]: return {"errors": ["expired invitation, please ask your admin to send a new one"]} - pass_token = users.allow_password_change(user_id=user["userId"]) + if user["expiredChange"] is not None and not user["expiredChange"] \ + and user["changePwdToken"] is not None and user["changePwdAge"] < -5 * 60: + pass_token = user["changePwdToken"] + else: + pass_token = users.allow_password_change(user_id=user["userId"]) return Response( status_code=307, body='', diff --git a/api/chalicelib/core/users.py b/api/chalicelib/core/users.py index 917328910..c001ea5e2 100644 --- a/api/chalicelib/core/users.py +++ b/api/chalicelib/core/users.py @@ -526,7 +526,8 @@ def get_by_invitation_token(token, pass_token=None): *, DATE_PART('day',timezone('utc'::text, now()) \ - COALESCE(basic_authentication.invited_at,'2000-01-01'::timestamp ))>=1 AS expired_invitation, - change_pwd_expire_at <= timezone('utc'::text, now()) AS expired_change + change_pwd_expire_at <= timezone('utc'::text, now()) AS expired_change, + (EXTRACT(EPOCH FROM current_timestamp-basic_authentication.change_pwd_expire_at))::BIGINT AS change_pwd_age FROM public.users INNER JOIN public.basic_authentication USING(user_id) WHERE invitation_token = %(token)s {"AND change_pwd_token = %(pass_token)s" if pass_token else ""} LIMIT 1;""",