Do not reuse reset password links

server/controllers/api/users/index.ts

@@ -356,6 +356,7 @@ async function resetUserPassword (req: express.Request, res: express.Response) {
   user.password = req.body.password
 
   await user.save()
+  await Redis.Instance.removePasswordVerificationString(user.id)
 
   return res.status(204).end()
 }

server/lib/redis.ts

@@ -84,6 +84,10 @@ class Redis {
     return generatedString
   }
 
+  async removePasswordVerificationString (userId: number) {
+    return this.removeValue(this.generateResetPasswordKey(userId))
+  }
+
   async getResetPasswordLink (userId: number) {
     return this.getValue(this.generateResetPasswordKey(userId))
   }
@@ -290,6 +294,16 @@ class Redis {
     })
   }
 
+  private removeValue (key: string) {
+    return new Promise<void>((res, rej) => {
+      this.client.del(this.prefix + key, err => {
+        if (err) return rej(err)
+
+        return res()
+      })
+    })
+  }
+
   private setObject (key: string, obj: { [id: string]: string }, expirationMilliseconds: number) {
     return new Promise<void>((res, rej) => {
       this.client.hmset(this.prefix + key, obj, (err, ok) => {

server/tests/api/server/email.ts

@@ -123,6 +123,10 @@ describe('Test emails', function () {
       await resetPassword(server.url, userId, verificationString, 'super_password2')
     })
 
+    it('Should not reset the password with the same verification string', async function () {
+      await resetPassword(server.url, userId, verificationString, 'super_password3', 403)
+    })
+
     it('Should login with this new password', async function () {
       user.password = 'super_password2'