Check user accepted before sending jwt in password reset (fixes #2591) (#2597)

Co-authored-by: Dessalines <dessalines@users.noreply.github.com>
1 year ago · 70e3feb174
parent ccb6435c1d
commit 70e3feb174
1 changed files with 18 additions and 9 deletions
--- a/crates/api/src/local_user/change_password_after_reset.rs
+++ b/crates/api/src/local_user/change_password_after_reset.rs
@ -8,6 +8,7 @@ use lemmy_db_schema::source::{
  local_user::LocalUser,
  password_reset_request::PasswordResetRequest,
 };
+use lemmy_db_views::structs::SiteView;
 use lemmy_utils::{claims::Claims, error::LemmyError, ConnectionId};
 use lemmy_websocket::LemmyContext;

@ -42,16 +43,24 @@ impl Perform for PasswordChangeAfterReset {
      .await
      .map_err(|e| LemmyError::from_error_message(e, "couldnt_update_user"))?;

-    // Return the jwt
+    // Return the jwt if login is allowed
+    let site_view = SiteView::read_local(context.pool()).await?;
+    let jwt =
+      if site_view.local_site.require_application && !updated_local_user.accepted_application {
+        None
+      } else {
+        Some(
+          Claims::jwt(
+            updated_local_user.id.0,
+            &context.secret().jwt_secret,
+            &context.settings().hostname,
+          )?
+          .into(),
+        )
+      };
+
    Ok(LoginResponse {
-      jwt: Some(
-        Claims::jwt(
-          updated_local_user.id.0,
-          &context.secret().jwt_secret,
-          &context.settings().hostname,
-        )?
-        .into(),
-      ),
+      jwt,
      verify_email_sent: false,
      registration_created: false,
    })