State token validity in password reset emails

[gruntmaster-page.git] / lib / Plack / App / Gruntmaster.pm

diff --git a/lib/Plack/App/Gruntmaster.pm b/lib/Plack/App/Gruntmaster.pm
index bfc2e27049b064f09bc4d7f6e1c4d4fb5b01c8bc..2edc6dc2999daa3cbb9006cb3954e25b48fe4ada 100644 (file)
--- a/lib/Plack/App/Gruntmaster.pm
+++ b/lib/Plack/App/Gruntmaster.pm
@@ -278,6 +278,8 @@ website using the following information:
 Username: $_{username}
 Password: <your new password>
 Reset token: $token
+
+The token is valid for 24 hours.
 EOF
                        my $email = Email::Simple->create(
                                header => [
@@ -301,6 +303,7 @@ EOF
                        my $user = db->user($_{username});
                        return reply 'No such user' unless $user;
                        my ($token, $exp) = split ':', $_{token};
+                       return reply 'Reset token is expired' if time >= $exp;
                        return reply 'Bad reset token' unless $user->make_reset_hmac($exp) eq $token;
                        $user->set_passphrase($_{password});
                        reply 'Password reset successfully';