From df24c663df9fb3e60e8079c4a4babd19d04b2b99 Mon Sep 17 00:00:00 2001 From: KernelDeimos Date: Wed, 8 May 2024 22:28:41 -0400 Subject: [PATCH] Invalidate email confirmation on password change --- packages/backend/src/routers/passwd.js | 2 +- packages/backend/src/routers/set-pass-using-token.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/backend/src/routers/passwd.js b/packages/backend/src/routers/passwd.js index 6fada5ed32..f2e4c714e9 100644 --- a/packages/backend/src/routers/passwd.js +++ b/packages/backend/src/routers/passwd.js @@ -62,7 +62,7 @@ router.post('/passwd', auth, express.json(), async (req, res, next)=>{ return res.status(400).send('new_pass must be at least 6 characters long.') else{ await db.write( - 'UPDATE user SET password=?, `pass_recovery_token` = NULL WHERE `id` = ?', + 'UPDATE user SET password=?, `pass_recovery_token` = NULL, `change_email_confirm_token` = NULL WHERE `id` = ?', [await bcrypt.hash(req.body.new_pass, 8), req.user.id] ); invalidate_cached_user(req.user); diff --git a/packages/backend/src/routers/set-pass-using-token.js b/packages/backend/src/routers/set-pass-using-token.js index 6f58592a7a..add303068f 100644 --- a/packages/backend/src/routers/set-pass-using-token.js +++ b/packages/backend/src/routers/set-pass-using-token.js @@ -68,7 +68,7 @@ router.post('/set-pass-using-token', express.json(), async (req, res, next)=>{ try{ const info = await db.write( - 'UPDATE user SET password=?, pass_recovery_token=NULL WHERE `uuid` = ? AND pass_recovery_token = ?', + 'UPDATE user SET password=?, pass_recovery_token=NULL, change_email_confirm_token=NULL WHERE `uuid` = ? AND pass_recovery_token = ?', [await bcrypt.hash(req.body.password, 8), user_uid, token], );