mirrors/puter
1
0
Fork 0
mirror of https://github.com/HeyPuter/puter synced 2024-11-14 22:06:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix false-positive password recovery response

Browse Source
This commit is contained in:
KernelDeimos 2024-04-21 18:28:39 -04:00
parent f5f75dbef8
commit 5c1e6ab16b
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
packages/backend/src/routers/set-pass-using-token.js
View File

@ -53,10 +53,15 @@ router.post('/set-pass-using-token', express.json(), async (req, res, next)=>{
return res.status(400).send(`Password must be at least ${config.min_pass_length} characters long.`) return res.status(400).send(`Password must be at least ${config.min_pass_length} characters long.`)
try{ try{
await db.write( const info = await db.write(
'UPDATE user SET password=?, pass_recovery_token=NULL WHERE `uuid` = ? AND pass_recovery_token = ?', 'UPDATE user SET password=?, pass_recovery_token=NULL WHERE `uuid` = ? AND pass_recovery_token = ?',
[await bcrypt.hash(req.body.password, 8), req.body.user_id, req.body.token] [await bcrypt.hash(req.body.password, 8), req.body.user_id, req.body.token]
); );
if ( ! info?.anyRowsAffected ) {
return res.status(400).send('Invalid token or user_id.');
}
invalidate_cached_user_by_id(req.body.user_id); invalidate_cached_user_by_id(req.body.user_id);
return res.send('Password successfully updated.') return res.send('Password successfully updated.')