feat(api): reset password keep same token for 5min for double request

2021-09-30 19:48:06 +02:00 · 2021-09-30 19:48:06 +02:00 · a4f45fa002
commit a4f45fa002
parent a8cd5f06e3
2 changed files with 7 additions and 2 deletions
--- a/api/chalicelib/blueprints/bp_core_dynamic.py
+++ b/api/chalicelib/blueprints/bp_core_dynamic.py
@ -360,6 +360,10 @@ def process_invitation_link():
        return {"errors": ["invitation not found"]}
    if user["expiredInvitation"]:
        return {"errors": ["expired invitation, please ask your admin to send a new one"]}
+    if user["expiredChange"] is not None and not user["expiredChange"] \
+            and user["changePwdToken"] is not None and user["changePwdAge"] < -5 * 60:
+        pass_token = user["changePwdToken"]
+    else:
        pass_token = users.allow_password_change(user_id=user["userId"])
    return Response(
        status_code=307,
--- a/api/chalicelib/core/users.py
+++ b/api/chalicelib/core/users.py
@ -526,7 +526,8 @@ def get_by_invitation_token(token, pass_token=None):
                        *,
                        DATE_PART('day',timezone('utc'::text, now()) \
                            - COALESCE(basic_authentication.invited_at,'2000-01-01'::timestamp ))>=1 AS expired_invitation,
-                        change_pwd_expire_at <= timezone('utc'::text, now()) AS expired_change
+                        change_pwd_expire_at <= timezone('utc'::text, now()) AS expired_change,
+                        (EXTRACT(EPOCH FROM current_timestamp-basic_authentication.change_pwd_expire_at))::BIGINT AS change_pwd_age
                    FROM public.users INNER JOIN public.basic_authentication USING(user_id)
                    WHERE invitation_token = %(token)s {"AND change_pwd_token = %(pass_token)s" if pass_token else ""}
                    LIMIT 1;""",