A successful login or a password change should invalidate the current password reset token. Both operations are evidence that either the user is still in possession of valid credentials or that an admin has forcefully reset the password.
FreeIPA keeps track of logins and password changes in the LDAP attributes krbLastPwdChange and krbLastSuccessfulAuth. When a user requests a password reset, the portal should store the fields in its sqlite database. Upon reset it compares the values with the current values. If the values are newer, it shall refuse a password reset.
A successful login or a password change should invalidate the current password reset token. Both operations are evidence that either the user is still in possession of valid credentials or that an admin has forcefully reset the password.
FreeIPA keeps track of logins and password changes in the LDAP attributes krbLastPwdChange and krbLastSuccessfulAuth. When a user requests a password reset, the portal should store the fields in its sqlite database. Upon reset it compares the values with the current values. If the values are newer, it shall refuse a password reset.
See #38