Avoid consecutive password reset requests

apps/web/components/forgot-password.tsx

@@ -29,21 +29,20 @@ export default function ForgotPassword() {
         loading: "Sending...",
         success: `Reset link sent. `,
         error: "Could not send reset link :/",
-      },
-      {
-        style: {
-          minWidth: "200px",
-        },
       }
     );
 
     if (!response.ok) {
       toast.dismiss();
 
-      if (response.status == 400 || response.status == 404) {
+      if (response.status == 404) {
         toast.error("Email address not found.");
       }
 
+      if (response.status == 400) {
+        toast.error("Password reset requested.");
+      }
+
       if (response.status == 500) {
         toast.error("Something went wrong.");
       }

apps/web/components/reset-password.tsx

@@ -4,7 +4,7 @@ import { useRouter } from "next/router";
 import { Button } from "@documenso/ui";
 import Logo from "./logo";
 import { ArrowLeftIcon } from "@heroicons/react/24/outline";
-import { FormProvider, useForm, useWatch } from "react-hook-form";
+import { FormProvider, useForm } from "react-hook-form";
 import { toast } from "react-hot-toast";
 
 interface IResetPassword {

apps/web/pages/api/auth/forgot-password.ts

@@ -23,10 +23,24 @@ async function postHandler(req: NextApiRequest, res: NextApiResponse) {
     return res.status(404).json({ message: "No user found with this email." });
   }
 
+  const existingToken = await prisma.passwordResetToken.findFirst({
+    where: {
+      userId: user.id,
+      createdAt: {
+        gte: new Date(Date.now() - 1000 * 60 * 60),
+      },
+    },
+  });
+
+  if (existingToken) {
+    return res
+      .status(400)
+      .json({ message: "A password reset has already been requested. Please check your email." });
+  }
+
   const token = crypto.randomBytes(64).toString("hex");
 
   let passwordResetToken;
-
   try {
     passwordResetToken = await prisma.passwordResetToken.create({
       data: {