maciejpi/nordabiz
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix: password reset token used utcnow vs now, extend admin reset to 24h
Some checks are pending
NordaBiz Tests / Unit & Integration Tests (push) Waiting to run
Details
NordaBiz Tests / E2E Tests (Playwright) (push) Blocked by required conditions
Details
NordaBiz Tests / Smoke Tests (Production) (push) Blocked by required conditions
Details
NordaBiz Tests / Send Failure Notification (push) Blocked by required conditions
Details

Browse Source 
The admin reset-password endpoint used datetime.utcnow() while the
validation used datetime.now(), causing tokens to appear expired
immediately on CET servers. Changed to datetime.now() and extended
admin-initiated resets to 24 hours validity.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Maciej Pienczyn 2026-03-13 11:07:17 +01:00
parent 1522ce344c
commit 0214cc70f2
3 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
blueprints/admin/routes.py
View File

@ -564,7 +564,7 @@ def admin_user_reset_password(user_id):
reset_token = secrets.token_urlsafe(32)
user.reset_token = reset_token
user.reset_token_expires = datetime.utcnow() + timedelta(hours=1)
user.reset_token_expires = datetime.now() + timedelta(hours=24)
db.commit()
base_url = os.getenv('APP_URL', 'https://nordabiznes.pl')
@ -588,7 +588,7 @@ def admin_user_reset_password(user_id):
else:
logger.warning("Email service not configured, cannot send reset email")
message = "Email z linkiem do resetu hasła wysłany" if email_sent else "Link do resetu hasła wygenerowany (ważny 1 godzinę)"
message = "Email z linkiem do resetu hasła wysłany" if email_sent else "Link do resetu hasła wygenerowany (ważny 24 godziny)"
return jsonify({
'success': True,

4
email_service.py
View File

@ -425,7 +425,7 @@ def send_password_reset_email(email: str, reset_url: str) -> bool:
Aby zresetować hasło, kliknij w poniższy link:
{reset_url}
Link będzie ważny przez 1 godzinę.
Link będzie ważny przez 24 godziny.
Jeśli nie zażądałeś resetowania hasła, zignoruj ten email.
@ -448,7 +448,7 @@ https://nordabiznes.pl
<!-- Warning -->
<table width="100%" cellpadding="0" cellspacing="0" style="background:#fef3c7; border-radius:8px; border: 1px solid #fcd34d; margin-bottom:24px;">
<tr><td style="padding: 16px;">
<p style="margin:0 0 4px; color:#92400e; font-size:14px; font-weight:600;">Ważność linku: 1 godzina</p>
<p style="margin:0 0 4px; color:#92400e; font-size:14px; font-weight:600;">Ważność linku: 24 godziny</p>
<p style="margin:0; color:#92400e; font-size:13px;">Po tym czasie konieczne będzie ponowne żądanie resetu hasła.</p>
</td></tr>
</table>

2
templates/admin/users.html
View File

@ -1479,7 +1479,7 @@
<svg fill="none" stroke="currentColor" stroke-width="2" viewBox="0 0 24 24">
<path d="M12 8v4l3 3m6-3a9 9 0 11-18 0 9 9 0 0118 0z"/>
</svg>
<span>Link ważny przez 1 godzinę</span>
<span>Link ważny przez 24 godziny</span>
</div>
</div>
<div style="margin-top: var(--spacing-md);">