Do not remove mail token before form has been submitted (#2239)

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm

@@ -32,7 +32,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
   PE_USERNOTFOUND
 );
 
-our $VERSION = '2.0.8';
+our $VERSION = '2.0.9';
 
 extends 'Lemonldap::NG::Portal::Main::Plugin',
   'Lemonldap::NG::Portal::Lib::SMTP', 'Lemonldap::NG::Portal::Lib::_tokenRule';
@@ -130,7 +130,6 @@ sub _reset {
 
         # Restore pdata if any
         $req->pdata( $mailSession->data->{_pdata} || {} );
-        $mailSession->remove;
         $searchByMail = 0 unless ( $req->{user} =~ /\@/ );
     }
 
@@ -409,6 +408,23 @@ sub changePwd {
         return PE_NOTOKEN;
     }
 
+    # Remove the mail token session if mail token is provided
+    my $mailToken = $req->param('mail_token');
+    if ($mailToken) {
+        $self->logger->debug("Token given for password reset: $mailToken");
+
+        # Check if token is valid
+        my $mailSession =
+          $self->p->getApacheSession( $mailToken, kind => "TOKEN" );
+        unless ($mailSession) {
+            $self->userLogger->warn('Bad reset token');
+            return PE_BADMAILTOKEN;
+        }
+
+        $self->logger->debug("Delete token $mailToken");
+        $mailSession->remove;
+    }
+
     # Check if user wants to generate the new password
     if ( $req->param('reset') ) {
         $self->logger->debug(

lemonldap-ng-portal/site/templates/bootstrap/mail.tpl

@@ -102,6 +102,7 @@
       <div class="form">
 
         <input type="hidden" name="skin" value="<TMPL_VAR NAME="SKIN">" />
+        <input type="hidden" name="mail_token" value="<TMPL_VAR NAME="MAIL_TOKEN">" />
         <input type="hidden" name="url" value="<TMPL_VAR NAME="AUTH_URL">" />
         <TMPL_IF NAME="CHOICE_VALUE">
           <input type="hidden" id="authKey" name="<TMPL_VAR NAME="CHOICE_PARAM">" value="<TMPL_VAR NAME="CHOICE_VALUE">" />