Don't store reset password's token in URL path

Clasyc · Oct 11, 2017 · d0a475c · d0a475c
1 parent a100ada
commit d0a475c
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/providers/password/password.go b/providers/password/password.go
@@ -179,9 +179,9 @@ func (provider Provider) ServeHTTP(context *auth.Context) {
 			}
 		case "edit":
 			// render edit password page
-			if len(paths) == 3 {
+			if token := context.Request.URL.Query().Get("token"); token != "" {
 				context.Auth.Config.Render.Funcs(template.FuncMap{
-					"reset_password_token": func() string { return paths[2] },
+					"reset_password_token": func() string { return token },
 				}).Execute("auth/password/edit", context, context.Request, context.Writer)
 				return
 			}

diff --git a/providers/password/reset_password.go b/providers/password/reset_password.go
@@ -47,7 +47,10 @@ var DefaultResetPasswordMailer = func(email string, context *auth.Context, claim
 			},
 			"reset_password_url": func() string {
 				resetPasswordURL := utils.GetAbsURL(context.Request)
-				resetPasswordURL.Path = path.Join(context.Auth.AuthURL("password/edit"), context.SessionStorer.SignedToken(claims))
+				resetPasswordURL.Path = path.Join(context.Auth.AuthURL("password/edit"))
+				qry := resetPasswordURL.Query()
+				qry.Set("token", context.SessionStorer.SignedToken(claims))
+				resetPasswordURL.RawQuery = qry.Encode()
 				return resetPasswordURL.String()
 			},
 		}),