Add security token when forcing password reset (#1639)

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/AD.pm

@@ -133,12 +133,16 @@ sub authenticate {
     }
 
     # Remember password if password reset needed
-    $req->data->{oldpassword} = $req->data->{password}
-      if (
+    if (
         $res == PE_PP_CHANGE_AFTER_RESET
         or (    $res == PE_PP_PASSWORD_EXPIRED
             and $self->conf->{ldapAllowResetExpiredPassword} )
-      );
+      )
+    {
+        $req->data->{oldpassword} = $self->{password};
+        $req->data->{noerror}     = 1;
+        $self->setSecurity($req);
+    }
 
     return $res;
 }

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/LDAP.pm

@@ -46,6 +46,7 @@ sub authenticate {
     {
         $req->data->{oldpassword} = $self->{password};
         $req->data->{noerror}     = 1;
+        $self->setSecurity($req);
     }
 
     return $res;

lemonldap-ng-portal/site/templates/bootstrap/password.tpl

@@ -11,6 +11,10 @@
     </TMPL_IF>
     <input type="hidden" name="skin" value="<TMPL_VAR NAME="SKIN">" />
 
+    <TMPL_IF NAME="TOKEN">
+      <input type="hidden" name="token" value="<TMPL_VAR NAME="TOKEN">" />
+    </TMPL_IF>
+
     <TMPL_IF NAME="LOGIN">
     <div class="input-group mb-3">
       <input name="user" type="hidden" value="<TMPL_VAR NAME=LOGIN>" />