From 62f12c1f4fdbac52a49c5e50515282d02f38106e Mon Sep 17 00:00:00 2001
From: Marius Gavrilescu <marius@ieval.ro>
Date: Mon, 16 Feb 2015 17:53:18 +0200
Subject: [PATCH] Reject expired reset tokens

---
 lib/Plack/App/Gruntmaster.pm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/Plack/App/Gruntmaster.pm b/lib/Plack/App/Gruntmaster.pm
index bfc2e27..2b06c93 100644
--- a/lib/Plack/App/Gruntmaster.pm
+++ b/lib/Plack/App/Gruntmaster.pm
@@ -301,6 +301,7 @@ EOF
 			my $user = db->user($_{username});
 			return reply 'No such user' unless $user;
 			my ($token, $exp) = split ':', $_{token};
+			return reply 'Reset token is expired' if time >= $exp;
 			return reply 'Bad reset token' unless $user->make_reset_hmac($exp) eq $token;
 			$user->set_passphrase($_{password});
 			reply 'Password reset successfully';
-- 
2.39.2