Prevent password reset links from being consumed by link preview fetchers

Question

Prevent password reset links from being consumed by link preview fetchers

Opened this issue 4 years ago · 1 comments

Originally reported by a user who was having problems with password resets.

Some email clients like to fetch URLs they can find to preview them:

207.46.13.30 - - [12/Jun/2020:18:18:59 +0000] "GET /account/passwordrecover/[redacted] HTTP/1.1" 200 1685 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534+ (KHTML, like Gecko) BingPreview/1.0b"

CyTube then marks this password reset link as "used", so when the user actually clicks on it, they can't recover their account (as a separate issue, the website should display a better error message in this case).

Probably need to have the URL in the email render a page with a POST form for the user to click submit to actually consume the token (this should prevent link preview fetchers from accidentally submitting it).

Answer 1 · 2021-10-17T20:36:29.000Z

Well, this feature works, but I found another bug: if you use the navbar to log in after recovering, then you get an error about the password reset already being consumed (but you are logged in successfully) -- login shouldn't redirect back to a password recovery page.