Send a POST request to the /reset page with the appropriate request.form['username'] and whatever request.form['password'] you want their password to be.
Login with the password you created.
NOTE: you have 5 minutes to do this after they put their account in reset mode.
Probable fix:
Modify the reset page get request to embed the reset key in it.
return render_template("reset.html", username=request.args['user'], reset_key=request.args['key'])
Store that in a hidden form element.
<input class="hide" type="text" name="reset_key" value="{{ reset_key }}" />
Return it with the POST request.
Verify the key before processing the post request
if database.validate_reset(request.form['username'], request.form['reset_key'])):
klondikemarlen
commented
6 years ago
How to access:
NOTE: you have 5 minutes to do this after they put their account in reset mode.
Probable fix:
return render_template("reset.html", username=request.args['user'], reset_key=request.args['key'])<input class="hide" type="text" name="reset_key" value="{{ reset_key }}" />if database.validate_reset(request.form['username'], request.form['reset_key'])):