Avoid consecutive password reset requests

2025-11-18 18:51:37 +10:00 · 2023-06-05 16:01:01 +00:00
parent e9cee23c15
commit 4136811e32
3 changed files with 21 additions and 8 deletions
--- a/apps/web/pages/api/auth/forgot-password.ts
+++ b/apps/web/pages/api/auth/forgot-password.ts
@ -23,10 +23,24 @@ async function postHandler(req: NextApiRequest, res: NextApiResponse) {
    return res.status(404).json({ message: "No user found with this email." });
  }

+  const existingToken = await prisma.passwordResetToken.findFirst({
+    where: {
+      userId: user.id,
+      createdAt: {
+        gte: new Date(Date.now() - 1000 * 60 * 60),
+      },
+    },
+  });
+
+  if (existingToken) {
+    return res
+      .status(400)
+      .json({ message: "A password reset has already been requested. Please check your email." });
+  }
+
  const token = crypto.randomBytes(64).toString("hex");

  let passwordResetToken;
-
  try {
    passwordResetToken = await prisma.passwordResetToken.create({
      data: {