Shane Kilkelly
0aaeb6671e
Keep password reset token in session, and strip it from reset page url.
...
This fixes an issue where the reset token was leaked in the referrer header
when navigating away from the password reset page to an external site.
Now we get the token from the query string, store it in the session,
then redirect to the bare url of the password reset page, which then
uses the stored token to render the reset form.
2015-08-24 11:53:33 +01:00
Henry Oswald
3ecf201eda
send -> sendStatus
2015-07-08 16:56:38 +01:00
James Allen
accd8207b2
Show password reset expired message rather than server error if that's what has happened
2014-10-08 17:18:24 +01:00
James Allen
10021986c5
Don't error on password reset if no email found, and translate error messages
2014-08-08 11:41:54 +01:00
Henry Oswald
d047d44079
Changed the error messages which are sent down to the client to be translated first
...
fixed up tests from titles we check when rendering, deleted them as they never
catch anything important, more hastle than they are worth imo.
2014-08-01 14:03:38 +01:00
Henry Oswald
dabed896be
lowercase password reset email
2014-06-10 17:54:29 +01:00
Henry Oswald
bf1bb22afd
added rate limiting to password reset endpoint
2014-05-16 10:31:33 +01:00
Henry Oswald
9f901fb1ba
added the token generator and its getNewToken function
2014-05-15 17:16:20 +01:00
Henry Oswald
64688e661d
written password reset controller
2014-05-15 16:50:38 +01:00
Henry Oswald
551e1d465a
written password reset handler
2014-05-15 16:20:23 +01:00