reset the ApiToken on password changes/resets (#15433)

* reset the ApiToken on password changes/resets * fix/add tests * fix(typo): test grammar * update new API Token Strings, removed unused one --------- Co-authored-by: Kalista Payne <sabrecat@gmail.com>
2025-12-14 21:27:23 +01:00 · 2025-07-01 19:30:34 +02:00
parent e68661c04b
commit 6fdc072ec3
12 changed files with 106 additions and 74 deletions
--- a/website/server/controllers/api-v3/auth.js
+++ b/website/server/controllers/api-v3/auth.js
@@ -271,7 +271,7 @@ api.updateUsername = {
 * @apiParam (Body) {String} newPassword The new password
 * @apiParam (Body) {String} confirmPassword New password confirmation
 *
- * @apiSuccess {Object} data An empty object
+ * @apiSuccess {String} data.apiToken The new apiToken
 * */
 api.updatePassword = {
  method: 'PUT',
@@ -316,9 +316,14 @@ api.updatePassword = {

    // set new password and make sure it's using bcrypt for hashing
    await passwordUtils.convertToBcrypt(user, newPassword);
+
+    user.apiToken = common.uuid();
+
    await user.save();

-    res.respond(200, {});
+    res.respond(200, {
+      apiToken: user.apiToken,
+    });
  },
 };

@@ -350,6 +355,7 @@ api.resetPassword = {
      { 'auth.local.email': email }, // Prefer to reset password for local auth
      { auth: 1 },
    ).exec();
+
    if (!user) { // If no local auth with that email...
      const potentialUsers = await User.find(
        {
@@ -486,6 +492,9 @@ api.resetPasswordSetNewOne = {
    await passwordUtils.convertToBcrypt(user, String(newPassword));
    user.auth.local.passwordResetCode = undefined; // Reset saved password reset code
    if (!user.auth.local.email) user.auth.local.email = await socialEmailToLocal(user);
+
+    user.apiToken = common.uuid();
+
    await user.save();

    return res.respond(200, {}, res.t('passwordChangeSuccess'));