Disable password reset token when email or password is changed

2025-01-23 22:40:20 +08:00 · 2024-05-07 20:18:11 -04:00 · 2024-05-07 20:18:11 -04:00 · 5890b7e7bf
commit 5890b7e7bf
parent d58aa33d2b
2 changed files with 2 additions and 2 deletions
--- a/packages/backend/src/routers/change_email.js
+++ b/packages/backend/src/routers/change_email.js
@ -122,7 +122,7 @@ const CHANGE_EMAIL_CONFIRM = eggspress('/change_email/confirm', {
    const new_email = rows[0].unconfirmed_change_email;

    await db.write(
-        'UPDATE `user` SET `email` = ?, `unconfirmed_change_email` = NULL, `change_email_confirm_token` = NULL WHERE `id` = ?',
+        'UPDATE `user` SET `email` = ?, `unconfirmed_change_email` = NULL, `change_email_confirm_token` = NULL, `pass_recovery_token` = NULL WHERE `id` = ?',
        [new_email, user_id]
    );

--- a/packages/backend/src/routers/passwd.js
+++ b/packages/backend/src/routers/passwd.js
@ -62,7 +62,7 @@ router.post('/passwd', auth, express.json(), async (req, res, next)=>{
            return res.status(400).send('new_pass must be at least 6 characters long.')
        else{
            await db.write(
-                'UPDATE user SET password=? WHERE `id` = ?',
+                'UPDATE user SET password=?, `pass_recovery_token` = NULL WHERE `id` = ?',
                [await bcrypt.hash(req.body.new_pass, 8), req.user.id]
            );
            invalidate_cached_user(req.user);