Hash reset codes in database

Otherwise, they can be reused if the database gets leaked.
2025-06-07 19:28:58 -06:00 · 2025-06-07 19:28:58 -06:00 · dc22a5bc7c
commit dc22a5bc7c
parent fa4f77c365
2 changed files with 11 additions and 4 deletions
--- a/vedia.rb
+++ b/vedia.rb
@ -130,7 +130,8 @@ end
 post '/reset' do
  @user = User.find_by(email: params[:email])
  if @user
-    @user.reset = SecureRandom.uuid
+    @reset = SecureRandom.uuid
    @user.reset = hash_password(@reset)
    @user.save
    mail = Mail.new
    mail.from = settings.admin_email
@ -143,7 +144,10 @@ post '/reset' do
 end
 get '/reset/:uuid' do
-  @user = User.find_by(reset: params[:uuid])
+  @user = nil
  User.where.not(reset: nil).each do |user|
    @user = user if verify_password(params[:uuid], user.reset)
  end
  if @user
    erb :reset_change
  else
@ -152,7 +156,10 @@ get '/reset/:uuid' do
 end
 post '/reset/:uuid' do
-  @user = User.find_by(reset: params[:uuid])
+  @user = nil
  User.where.not(reset: nil).each do |user|
    @user = user if verify_password(params[:uuid], user.reset)
  end
  if @user
    @errors = []
    if params[:password].empty?
--- a/views/reset_email.erb
+++ b/views/reset_email.erb
@ -1,3 +1,3 @@
 <%= _("Visit the following link to reset your password:") %>
-<%= "#{settings.base_url}reset/#{@user.reset}" %>
+<%= "#{settings.base_url}reset/#{@reset}" %>
`@ -1,3 +1,3 @@`
	`<%= _("Visit the following link to reset your password:") %>`	`<%= _("Visit the following link to reset your password:") %>`

	`<%= "#{settings.base_url}reset/#{@user.reset}" %>`	`<%= "#{settings.base_url}reset/#{@reset}" %>`