From 2409f991b607a06ed63c135efb0a4b4347da3e0b Mon Sep 17 00:00:00 2001 From: zhangx1n Date: Wed, 23 Apr 2025 10:27:04 +0800 Subject: [PATCH] chore: Manually resolve merge conflict in forgot_password.py --- api/controllers/console/auth/forgot_password.py | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/api/controllers/console/auth/forgot_password.py b/api/controllers/console/auth/forgot_password.py index 8be8f7e893..2ee9c7c468 100644 --- a/api/controllers/console/auth/forgot_password.py +++ b/api/controllers/console/auth/forgot_password.py @@ -26,6 +26,7 @@ from services.feature_service import FeatureService class ForgotPasswordSendEmailApi(Resource): @setup_required + @email_password_login_enabled def post(self): parser = reqparse.RequestParser() parser.add_argument("email", type=email, required=True, location="json") @@ -57,6 +58,7 @@ class ForgotPasswordSendEmailApi(Resource): class ForgotPasswordCheckApi(Resource): @setup_required + @email_password_login_enabled def post(self): parser = reqparse.RequestParser() parser.add_argument("email", type=str, required=True, location="json") @@ -76,11 +78,20 @@ class ForgotPasswordCheckApi(Resource): if args["code"] != token_data.get("code"): raise EmailCodeError() - return {"is_valid": True, "email": token_data.get("email")} + # Verified, revoke the first token + AccountService.revoke_reset_password_token(args["token"]) + + # Refresh token data by generating a new token + _, new_token = AccountService.generate_reset_password_token( + user_email, code=args["code"], additional_data={"phase": "reset"} + ) + + return {"is_valid": True, "email": token_data.get("email"), "token": new_token} class ForgotPasswordResetApi(Resource): @setup_required + @email_password_login_enabled def post(self): parser = reqparse.RequestParser() parser.add_argument("token", type=str, required=True, nullable=False, location="json") @@ -99,6 +110,9 @@ class ForgotPasswordResetApi(Resource): if reset_data is None: raise InvalidTokenError() + # Must use token in reset phase + if reset_data.get("phase", "") != "reset": + raise InvalidTokenError() AccountService.revoke_reset_password_token(token)