fix(reset): validate token on GET and surface errors on POST
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
- Verify reset token before showing the form (GET), redirecting with an error immediately if the token is invalid or expired - Add peekResetToken to check token validity non-destructively - Fix POST form action to include query params so the URL check doesn't silently redirect to /lost before processing errors - Update page title and subtitle to reflect the reset step Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
2e6227b36c
commit
335a656a0e
3 changed files with 19 additions and 3 deletions
6
reset.go
6
reset.go
|
|
@ -22,6 +22,12 @@ func resetPassword(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
|
||||
if r.Method != "POST" {
|
||||
if !peekResetToken(r.URL.Query().Get("t")) {
|
||||
displayTmplError(w, http.StatusGone, "reset.html", map[string]any{
|
||||
"error": "Token invalid or expired, please retry the lost password procedure. Tokens expire after 1 hour.",
|
||||
})
|
||||
return
|
||||
}
|
||||
csrfToken, err := setCSRFToken(w)
|
||||
if err != nil {
|
||||
http.Error(w, "Internal server error", http.StatusInternalServerError)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue