From 70e3feb174a2471ff018071fbfed5039ed31fa3d Mon Sep 17 00:00:00 2001
From: Nutomic <me@nutomic.com>
Date: Thu, 1 Dec 2022 21:36:03 +0000
Subject: [PATCH] Check user accepted before sending jwt in password reset
 (fixes #2591) (#2597)

Co-authored-by: Dessalines <dessalines@users.noreply.github.com>
---
 .../local_user/change_password_after_reset.rs | 27 ++++++++++++-------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/crates/api/src/local_user/change_password_after_reset.rs b/crates/api/src/local_user/change_password_after_reset.rs
index 2086a2755..3ac48252e 100644
--- a/crates/api/src/local_user/change_password_after_reset.rs
+++ b/crates/api/src/local_user/change_password_after_reset.rs
@@ -8,6 +8,7 @@ use lemmy_db_schema::source::{
   local_user::LocalUser,
   password_reset_request::PasswordResetRequest,
 };
+use lemmy_db_views::structs::SiteView;
 use lemmy_utils::{claims::Claims, error::LemmyError, ConnectionId};
 use lemmy_websocket::LemmyContext;
 
@@ -42,16 +43,24 @@ impl Perform for PasswordChangeAfterReset {
       .await
       .map_err(|e| LemmyError::from_error_message(e, "couldnt_update_user"))?;
 
-    // Return the jwt
+    // Return the jwt if login is allowed
+    let site_view = SiteView::read_local(context.pool()).await?;
+    let jwt =
+      if site_view.local_site.require_application && !updated_local_user.accepted_application {
+        None
+      } else {
+        Some(
+          Claims::jwt(
+            updated_local_user.id.0,
+            &context.secret().jwt_secret,
+            &context.settings().hostname,
+          )?
+          .into(),
+        )
+      };
+
     Ok(LoginResponse {
-      jwt: Some(
-        Claims::jwt(
-          updated_local_user.id.0,
-          &context.secret().jwt_secret,
-          &context.settings().hostname,
-        )?
-        .into(),
-      ),
+      jwt,
       verify_email_sent: false,
       registration_created: false,
     })