fix: #9605, expire all active reset tokens for a uid if that uid generates a new one

4 years ago · 229f96f872
parent f4eb336ad3
commit 229f96f872
1 changed files with 4 additions and 0 deletions
--- a/src/user/reset.js
+++ b/src/user/reset.js
@ -28,6 +28,10 @@ UserReset.validate = async function (code) {

 UserReset.generate = async function (uid) {
 	const code = utils.generateUUID();
+
+	// Invalidate past tokens (must be done prior)
+	await UserReset.cleanByUid(uid);
+
 	await Promise.all([
 		db.setObjectField('reset:uid', code, uid),
 		db.sortedSetAdd('reset:issueDate', Date.now(), code),