From da0196a3086f2a9532d82df98afc5dbbe1a0d4e7 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Thu, 30 Oct 2025 22:24:07 -0700
Subject: [PATCH] no reset password for external users

---
 server/routers/auth/requestPasswordReset.ts | 44 ++++++++++++++++-----
 1 file changed, 35 insertions(+), 9 deletions(-)

diff --git a/server/routers/auth/requestPasswordReset.ts b/server/routers/auth/requestPasswordReset.ts
index 52dce2e3..a7e84b9e 100644
--- a/server/routers/auth/requestPasswordReset.ts
+++ b/server/routers/auth/requestPasswordReset.ts
@@ -15,13 +15,11 @@ import config from "@server/lib/config";
 import { sendEmail } from "@server/emails";
 import ResetPasswordCode from "@server/emails/templates/ResetPasswordCode";
 import { hashPassword } from "@server/auth/password";
+import { UserType } from "@server/types/UserTypes";
 
 export const requestPasswordResetBody = z
     .object({
-        email: z
-            .string()
-            .toLowerCase()
-            .email(),
+        email: z.string().toLowerCase().email()
     })
     .strict();
 
@@ -56,12 +54,35 @@ export async function requestPasswordReset(
             .where(eq(users.email, email));
 
         if (!existingUser || !existingUser.length) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    "A user with that email does not exist"
-                )
+            await randomDelay(2000);
+            logger.debug(
+                `Password reset requested for ${email}, but no such user exists`
             );
+            return response<RequestPasswordResetResponse>(res, {
+                data: {
+                    sentEmail: true
+                },
+                success: true,
+                error: false,
+                message: "Password reset requested",
+                status: HttpCode.OK
+            });
+        }
+
+        if (existingUser[0].type !== UserType.Internal) {
+            await randomDelay(2000);
+            logger.debug(
+                `Password reset requested for ${email}, but user is of type ${existingUser[0].type}`
+            );
+            return response<RequestPasswordResetResponse>(res, {
+                data: {
+                    sentEmail: true
+                },
+                success: true,
+                error: false,
+                message: "Password reset requested",
+                status: HttpCode.OK
+            });
         }
 
         const token = generateRandomString(8, alphabet("0-9", "A-Z", "a-z"));
@@ -120,3 +141,8 @@ export async function requestPasswordReset(
         );
     }
 }
+
+async function randomDelay(maxDelayMs: number) {
+    const delay = Math.floor(Math.random() * maxDelayMs);
+    return new Promise((resolve) => setTimeout(resolve, delay));
+}