medusa icon indicating copy to clipboard operation
medusa copied to clipboard

Published 20 hours ago verified publisher icon medusajs

[Bug]: The Reset Password token is reusable

Open Deroswent opened this issue 6 months ago • 2 comments
trafficstars

Package.json file

{
  "name": "backend-server7",
  "version": "0.0.1",
  "description": "A starter for Medusa projects.",
  "author": "Medusa (https://medusajs.com)",
  "license": "MIT",
  "keywords": [
    "sqlite",
    "postgres",
    "typescript",
    "ecommerce",
    "headless",
    "medusa"
  ],
  "scripts": {
    "build": "medusa build",
    "seed": "medusa exec ./src/scripts/seed.ts",
    "start": "medusa start",
    "dev": "medusa develop",
    "test:integration:http": "TEST_TYPE=integration:http NODE_OPTIONS=--experimental-vm-modules jest --silent=false --runInBand --forceExit",
    "test:integration:modules": "TEST_TYPE=integration:modules NODE_OPTIONS=--experimental-vm-modules jest --silent --runInBand --forceExit",
    "test:unit": "TEST_TYPE=unit NODE_OPTIONS=--experimental-vm-modules jest --silent --runInBand --forceExit"
  },
  "dependencies": {
    "@medusajs/admin-sdk": "2.8.2",
    "@medusajs/cli": "2.8.2",
    "@medusajs/framework": "2.8.2",
    "@medusajs/index": "2.8.2",
    "@medusajs/medusa": "2.8.2",
    "@mikro-orm/core": "6.4.3",
    "@mikro-orm/knex": "6.4.3",
    "@mikro-orm/migrations": "6.4.3",
    "@mikro-orm/postgresql": "6.4.3",
    "1c_integration": "github:Deroswent/1c_integration",
    "awilix": "^8.0.1",
    "exceljs": "^4.4.0",
    "managers": "github:Deroswent/managers",
    "nodemailer": "^6.10.1",
    "pg": "^8.13.0"
  },
  "devDependencies": {
    "@medusajs/test-utils": "2.8.2",
    "@mikro-orm/cli": "6.4.3",
    "@swc/core": "1.5.7",
    "@swc/jest": "^0.2.36",
    "@types/jest": "^29.5.13",
    "@types/node": "^20.0.0",
    "@types/react": "^18.3.2",
    "@types/react-dom": "^18.2.25",
    "jest": "^29.7.0",
    "prop-types": "^15.8.1",
    "react": "^18.2.0",
    "react-dom": "^18.2.0",
    "ts-node": "^10.9.2",
    "typescript": "^5.6.2",
    "vite": "^5.2.11",
    "yalc": "^1.0.0-pre.53"
  },
  "engines": {
    "node": ">=20"
  }
}

Node.js version

v22.11.0

Database and its version

PostgreSQL 17.2

Operating system name and version

Ubuntu 24.04

Browser name

No response

What happended?

This endpoint generates a token, which is then used to reset the password. The problem is that the same token is reusable, and it is not removed from Medusa storage after the first successful use.

I understand that the token has a limited lifetime, and probably (I haven't checked, but I hope so) - the token is tied to the email for which it was generated. Nevertheless, I consider it a bug and a security issue. After the first successful use the token should be deleted from the storage.

Expected behavior

After the first successful use the token should be deleted from the storage.

Actual behavior

token is reusable

Link to reproduction repo

https://github.com/medusajs/medusa/

Deroswent avatar May 17 '25 20:05 Deroswent