no reset password for external users

2026-01-27 10:20:03 +00:00 · 2025-10-30 22:24:07 -07:00
parent e585972b7b
commit da0196a308
1 changed files with 35 additions and 9 deletions
--- a/server/routers/auth/requestPasswordReset.ts
+++ b/server/routers/auth/requestPasswordReset.ts
@@ -15,13 +15,11 @@ import config from "@server/lib/config";
 import { sendEmail } from "@server/emails";
 import ResetPasswordCode from "@server/emails/templates/ResetPasswordCode";
 import { hashPassword } from "@server/auth/password";
+import { UserType } from "@server/types/UserTypes";

 export const requestPasswordResetBody = z
    .object({
-        email: z
-            .string()
-            .toLowerCase()
-            .email(),
+        email: z.string().toLowerCase().email()
    })
    .strict();

@@ -56,12 +54,35 @@ export async function requestPasswordReset(
            .where(eq(users.email, email));

        if (!existingUser || !existingUser.length) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    "A user with that email does not exist"
-                )
+            await randomDelay(2000);
+            logger.debug(
+                `Password reset requested for ${email}, but no such user exists`
            );
+            return response<RequestPasswordResetResponse>(res, {
+                data: {
+                    sentEmail: true
+                },
+                success: true,
+                error: false,
+                message: "Password reset requested",
+                status: HttpCode.OK
+            });
+        }
+
+        if (existingUser[0].type !== UserType.Internal) {
+            await randomDelay(2000);
+            logger.debug(
+                `Password reset requested for ${email}, but user is of type ${existingUser[0].type}`
+            );
+            return response<RequestPasswordResetResponse>(res, {
+                data: {
+                    sentEmail: true
+                },
+                success: true,
+                error: false,
+                message: "Password reset requested",
+                status: HttpCode.OK
+            });
        }

        const token = generateRandomString(8, alphabet("0-9", "A-Z", "a-z"));
@@ -120,3 +141,8 @@ export async function requestPasswordReset(
        );
    }
 }
+
+async function randomDelay(maxDelayMs: number) {
+    const delay = Math.floor(Math.random() * maxDelayMs);
+    return new Promise((resolve) => setTimeout(resolve, delay));
+}