Open calzoneman opened 4 years ago
Well, this feature works, but I found another bug: if you use the navbar to log in after recovering, then you get an error about the password reset already being consumed (but you are logged in successfully) -- login shouldn't redirect back to a password recovery page.
Originally reported by a user who was having problems with password resets.
Some email clients like to fetch URLs they can find to preview them:
CyTube then marks this password reset link as "used", so when the user actually clicks on it, they can't recover their account (as a separate issue, the website should display a better error message in this case).
Probably need to have the URL in the email render a page with a
POST
form for the user to click submit to actually consume the token (this should prevent link preview fetchers from accidentally submitting it).