make sure user needs to go through MFA when resetting password

2024-11-13 04:04:55 +08:00 · 2021-07-12 18:56:09 +02:00 · 2021-07-12 18:56:09 +02:00 · 99599bb09f
commit 99599bb09f
parent c011a4b90b
1 changed files with 4 additions and 3 deletions
--- a/app/auth/views/reset_password.py
+++ b/app/auth/views/reset_password.py
@ -4,6 +4,7 @@ from flask_wtf import FlaskForm
 from wtforms import StringField, validators

 from app.auth.base import auth_bp
+from app.auth.views.login_utils import after_login
 from app.extensions import db, limiter
 from app.models import ResetPasswordCode

@ -57,10 +58,10 @@ def reset_password():

        # remove the reset password code
        ResetPasswordCode.delete(reset_password_code.id)
-
        db.session.commit()
-        login_user(user)

-        return redirect(url_for("dashboard.index"))
+        # do not use login_user(user) here
+        # to make sure user needs to go through MFA if enabled
+        return after_login(user, url_for("dashboard.index"))

    return render_template("auth/reset_password.html", form=form)