forgejo_admin/basketball-api
1
0
Fork 1
Code Issues 13 Pull requests 3 Projects Releases Packages Wiki Activity Actions

Bug: Password reset confirm returns HTTP 200 for invalid tokens #138

New issue
Closed
opened 2026-03-21 20:53:53 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-03-21 20:53:53 +00:00
Owner
Copy link

Type

Bug

Lineage

plan-wkq → Phase 11 (Girls Tryout — March 24)
Discovered during UX testing of password reset flow (basketball-api #132)

Repo

forgejo_admin/basketball-api + forgejo_admin/westside-app

What Broke

POST /api/password-reset/confirm returns HTTP 200 with {"message":"Invalid or expired reset token."} for invalid/expired tokens. The frontend checks status code only, sees 200, and shows "Your password has been updated" — even though nothing happened. A parent with an expired link thinks they reset their password, tries to sign in, and fails.

Repro Steps

  1. Go to /reset-password?token=any-invalid-token
  2. Enter new password + confirm
  3. Click "Update Password"
  4. See success message "Your password has been updated"
  5. Try to sign in — password unchanged, login fails

Expected Behavior

  • Backend: return HTTP 400 for invalid/expired/used tokens
  • Frontend: check response status, show error message for non-2xx responses

Environment

  • Cluster/namespace: basketball-api + westsidekingsandqueens
  • Service version: basketball-api PR #133, westside-app PR #63

Acceptance Criteria

  • POST /api/password-reset/confirm returns HTTP 400 for invalid/expired/used tokens
  • Frontend shows error message when API returns non-2xx
  • Frontend shows "link expired" with link back to /forgot-password to request a new one
  • Valid tokens still work and show success

File Targets

basketball-api:

  • src/basketball_api/routes/password_reset.py — change invalid token response from 200 to 400

westside-app:

  • src/routes/reset-password/+page.svelte — check res.ok before showing success, show error state on failure

Constraints

  • Keep returning 200 for the /request endpoint (no user enumeration)
  • Only fix the /confirm endpoint — invalid tokens are not a security enumeration risk

Checklist

  • PR opened
  • Tests updated
  • No unrelated changes

Related

  • basketball-api #132 — parent feature
  • basketball-api #133 — backend PR that introduced the bug
  • westside-app #63 — frontend PR that doesn't check response
### Type Bug ### Lineage `plan-wkq` → Phase 11 (Girls Tryout — March 24) Discovered during UX testing of password reset flow (basketball-api #132) ### Repo `forgejo_admin/basketball-api` + `forgejo_admin/westside-app` ### What Broke `POST /api/password-reset/confirm` returns HTTP 200 with `{"message":"Invalid or expired reset token."}` for invalid/expired tokens. The frontend checks status code only, sees 200, and shows "Your password has been updated" — even though nothing happened. A parent with an expired link thinks they reset their password, tries to sign in, and fails. ### Repro Steps 1. Go to `/reset-password?token=any-invalid-token` 2. Enter new password + confirm 3. Click "Update Password" 4. See success message "Your password has been updated" 5. Try to sign in — password unchanged, login fails ### Expected Behavior - Backend: return HTTP 400 for invalid/expired/used tokens - Frontend: check response status, show error message for non-2xx responses ### Environment - Cluster/namespace: basketball-api + westsidekingsandqueens - Service version: basketball-api PR #133, westside-app PR #63 ### Acceptance Criteria - [ ] `POST /api/password-reset/confirm` returns HTTP 400 for invalid/expired/used tokens - [ ] Frontend shows error message when API returns non-2xx - [ ] Frontend shows "link expired" with link back to `/forgot-password` to request a new one - [ ] Valid tokens still work and show success ### File Targets **basketball-api:** - `src/basketball_api/routes/password_reset.py` — change invalid token response from 200 to 400 **westside-app:** - `src/routes/reset-password/+page.svelte` — check `res.ok` before showing success, show error state on failure ### Constraints - Keep returning 200 for the `/request` endpoint (no user enumeration) - Only fix the `/confirm` endpoint — invalid tokens are not a security enumeration risk ### Checklist - [ ] PR opened - [ ] Tests updated - [ ] No unrelated changes ### Related - basketball-api #132 — parent feature - basketball-api #133 — backend PR that introduced the bug - westside-app #63 — frontend PR that doesn't check response
forgejo_admin 2026-03-21 21:04:35 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
220-registration-admin-email
221-admin-leads-endpoint
222-dedup-interest-leads
205-clean-test-data-from-production-db-playe
114-email-verification
147-feat-add-get-jersey-player-info-endpoint
124-feat-many-to-many-player-team-assignment
125-feat-add-new-players-manually-seydou-gou
126-feat-team-placement-congratulations-emai
121-admin-teams-spa-endpoints
70-add-graduating-class-to-roster-api-respo
59-fix-auth-test
62-phase-4l-sveltekit-dashboard-wkq-tailsca
11-phase-1a-fix-ci-pipeline-venv-in-test-st
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/basketball-api#138
No description provided.