Closed
Description
This issue is automatically created based on existing pull request: #25280: Reuse password reset tokens until they expire
Description (*)
This avoids a race condition where email delivery is slow and user generates
new token before original (now invalid) token is received.
Consider the following scenario:
- User requests token (1)
- User waits, but does not yet receive the token
- User requests another token (2)
- User receives token (1), but this is invalid
- User requests another token (3)
- User receives token (2), but this is invalid
- [repeat]
This also has the added bonus of not giving an attacker sequential tokens upon request. While the tokens are understood to be suitably opaque, any information disclosures identified in future will be at least partially mitigated by reusing the same token rather than giving out another token data point.
Fixed Issues (if relevant)
Manual testing scenarios (*)
- Generate password reset email (admin & frontend)
- Wait for time-out
- Generate another password reset email
- Observe same token in both emails
Questions or comments
I am unsure if this change requires a unit test.
Contribution checklist (*)
- Pull request has a meaningful description of its purpose
- All commits are accompanied by meaningful commit messages
- All new or changed code is covered with unit/integration tests (if applicable)
- All automated tests passed successfully (all builds are green)