fix(core): Make password-reset urls valid only for single-use (#7622)

2025-12-17 01:56:46 +00:00 · 2023-11-07 15:35:43 +01:00
parent b3470fd64d
commit 60314248f4
13 changed files with 206 additions and 168 deletions
--- a/packages/cli/src/controllers/users.controller.ts
+++ b/packages/cli/src/controllers/users.controller.ts
@@ -411,23 +411,8 @@ export class UsersController {
 			throw new NotFoundError('User not found');
 		}

-		const resetPasswordToken = this.jwtService.signData(
-			{ sub: user.id },
-			{
-				expiresIn: '1d',
-			},
-		);
-
-		const baseUrl = getInstanceBaseUrl();
-
-		const link = this.userService.generatePasswordResetUrl(
-			baseUrl,
-			resetPasswordToken,
-			user.mfaEnabled,
-		);
-		return {
-			link,
-		};
+		const link = this.userService.generatePasswordResetUrl(user);
+		return { link };
 	}

 	@Authorized(['global', 'owner'])