redirect: when logging in to ezidam, if user has expired password reset token, delete it

crates/ezidam/src/routes/oauth/authorize.rs

@@ -208,9 +208,11 @@ pub async fn authorize_form(
     // Generate authorization code
     let code = task::spawn_blocking(|| SecretString::new(AUTHORIZATION_CODE_LEN)).await?;
 
-    // Save authorization code
     let mut transaction = db.begin().await?;
+
+    // Save authorization code
     AuthorizationCode::insert(&mut transaction, code.as_ref(), app.id(), &user_id).await?;
+
     transaction.commit().await?;
 
     // Redirect to oauth redirect uri

crates/ezidam/src/routes/oauth/redirect.rs

@@ -123,6 +123,18 @@ pub async fn redirect_page(
         cookie_jar.add(cookie);
     }
 
+    // If user has unused password reset token
+    if let Some(password_recover) = user
+        .password_recover()
+        .map_err(|e| Error::internal_server_error(format!("Password recover: {e}")))?
+    {
+        // If it has expired, delete it
+        if password_recover.has_expired() {
+            user.set_password_reset_token(&mut transaction, None)
+                .await?;
+        }
+    }
+
     transaction.commit().await?;
 
     // HTTP Response

crates/users/src/lib.rs

@@ -8,6 +8,7 @@ use id::UserID;
 use serde::Serialize;
 
 pub use crate::error::Error;
+use crate::password_reset::{Error as PasswordResetTokenError, PasswordResetToken};
 
 #[derive(Serialize, Debug, Clone)]
 pub struct User {
@@ -64,4 +65,10 @@ impl User {
     pub fn totp_backup_hashed(&self) -> Option<&str> {
         self.totp_backup.as_deref()
     }
+    pub fn password_recover(&self) -> Result<Option<PasswordResetToken>, PasswordResetTokenError> {
+        self.password_recover
+            .as_deref()
+            .map(PasswordResetToken::parse)
+            .transpose()
+    }
 }