Ryan/documenso
1
0
Fork 1
mirror of https://github.com/documenso/documenso.git synced 2025-11-15 01:01:49 +10:00
Code Issues Packages Projects Releases Wiki Activity

Expire token after 1 hour

Browse Source
This commit is contained in:
Ephraim Atta-Duncan
2023-06-05 16:54:12 +00:00
parent 2b9a2ff250
commit 3a0648c85d
6 changed files with 25 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
apps/web/pages/api/auth/forgot-password.ts
View File

@ -20,7 +20,7 @@ async function postHandler(req: NextApiRequest, res: NextApiResponse) {
});
if (!user) {
return res.status(404).json({ message: "No user found with this email." });
return res.status(404).json({ message: "No user found with this email" });
}
const existingToken = await prisma.passwordResetToken.findFirst({
@ -33,23 +33,24 @@ async function postHandler(req: NextApiRequest, res: NextApiResponse) {
});
if (existingToken) {
return res
.status(400)
.json({ message: "A password reset has already been requested. Please check your email." });
return res.status(400).json({ message: "Password reset requested." });
}
const token = crypto.randomBytes(64).toString("hex");
const expiry = new Date();
expiry.setHours(expiry.getHours() + 1); // Set expiry to one hour from now
let passwordResetToken;
try {
passwordResetToken = await prisma.passwordResetToken.create({
data: {
token,
expiry,
userId: user.id,
},
});
} catch (error) {
return res.status(500).json({ message: "Error saving token." });
return res.status(500).json({ message: "Something went wrong" });
}
await sendResetPassword(user, passwordResetToken.token);

10
apps/web/pages/api/auth/reset-password.ts
View File

@ -25,12 +25,16 @@ async function postHandler(req: NextApiRequest, res: NextApiResponse) {
return res.status(404).json({ message: "Invalid token." });
}
const now = new Date();
if (now > foundToken.expiry) {
return res.status(400).json({ message: "Token has expired" });
}
const isSamePassword = await verifyPassword(password, foundToken.User.password!);
if (isSamePassword) {
return res
.status(400)
.json({ message: "New password must be different from the current password." });
return res.status(400).json({ message: "New password must be different" });
}
const hashedPassword = await hashPassword(password);