From e9c5f123383e461a890c95368dce6f79d3b84660 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Wed, 12 Aug 2020 09:15:31 +0200
Subject: [PATCH] Do not reuse reset password links

---
 server/controllers/api/users/index.ts |  1 +
 server/lib/redis.ts                   | 14 ++++++++++++++
 server/tests/api/server/email.ts      |  4 ++++
 3 files changed, 19 insertions(+)

diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts
index 5ae0dc7a7..5b113feac 100644
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@@ -356,6 +356,7 @@ async function resetUserPassword (req: express.Request, res: express.Response) {
   user.password = req.body.password
 
   await user.save()
+  await Redis.Instance.removePasswordVerificationString(user.id)
 
   return res.status(204).end()
 }
diff --git a/server/lib/redis.ts b/server/lib/redis.ts
index 5313c4685..a075eee2d 100644
--- a/server/lib/redis.ts
+++ b/server/lib/redis.ts
@@ -84,6 +84,10 @@ class Redis {
     return generatedString
   }
 
+  async removePasswordVerificationString (userId: number) {
+    return this.removeValue(this.generateResetPasswordKey(userId))
+  }
+
   async getResetPasswordLink (userId: number) {
     return this.getValue(this.generateResetPasswordKey(userId))
   }
@@ -290,6 +294,16 @@ class Redis {
     })
   }
 
+  private removeValue (key: string) {
+    return new Promise<void>((res, rej) => {
+      this.client.del(this.prefix + key, err => {
+        if (err) return rej(err)
+
+        return res()
+      })
+    })
+  }
+
   private setObject (key: string, obj: { [id: string]: string }, expirationMilliseconds: number) {
     return new Promise<void>((res, rej) => {
       this.client.hmset(this.prefix + key, obj, (err, ok) => {
diff --git a/server/tests/api/server/email.ts b/server/tests/api/server/email.ts
index b01a91d48..05c89d2a3 100644
--- a/server/tests/api/server/email.ts
+++ b/server/tests/api/server/email.ts
@@ -123,6 +123,10 @@ describe('Test emails', function () {
       await resetPassword(server.url, userId, verificationString, 'super_password2')
     })
 
+    it('Should not reset the password with the same verification string', async function () {
+      await resetPassword(server.url, userId, verificationString, 'super_password3', 403)
+    })
+
     it('Should login with this new password', async function () {
       user.password = 'super_password2'