fix: Auto-verify email on password reset

When user resets password, they've proven inbox access by clicking the reset link. This change auto-verifies their email address, eliminating the need to separately verify email after reset. Fixes user feedback issue #2: "Reset hasła nie weryfikuje emaila" Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-30 19:41:05 +01:00 · 2026-01-30 19:41:05 +01:00 · 7c6379c815
commit 7c6379c815
parent 3b55e14e67
1 changed files with 9 additions and 0 deletions
--- a/app.py
+++ b/app.py
@ -4635,6 +4635,15 @@ def reset_password(token):
            user.password_hash = generate_password_hash(password, method='pbkdf2:sha256')
            user.reset_token = None
            user.reset_token_expires = None
+
+            # Auto-verify email - user proved inbox access by using reset link
+            if not user.is_verified:
+                user.is_verified = True
+                user.verified_at = datetime.now()
+                user.verification_token = None
+                user.verification_token_expires = None
+                logger.info(f"Email auto-verified via password reset for {user.email}")
+
            db.commit()

            logger.info(f"Password reset successful for {user.email}")