fix(core): Make password-reset urls valid only for single-use (#7622)

packages/cli/src/Server.ts

@@ -272,15 +272,7 @@ export class Server extends AbstractServer {
 			),
 			Container.get(MeController),
 			new NodeTypesController(config, nodeTypes),
-			new PasswordResetController(
-				logger,
-				externalHooks,
-				internalHooks,
-				mailer,
-				userService,
-				jwtService,
-				mfaService,
-			),
+			Container.get(PasswordResetController),
 			Container.get(TagsController),
 			new TranslationController(config, this.credentialTypes),
 			new UsersController(

packages/cli/src/auth/jwt.ts

@@ -44,6 +44,11 @@ export function issueJWT(user: User): JwtToken {
 	};
 }
 
+export const createPasswordSha = (user: User) =>
+	createHash('sha256')
+		.update(user.password.slice(user.password.length / 2))
+		.digest('hex');
+
 export async function resolveJwtContent(jwtPayload: JwtPayload): Promise<User> {
 	const user = await Db.collections.User.findOne({
 		where: { id: jwtPayload.id },
@@ -52,9 +57,7 @@ export async function resolveJwtContent(jwtPayload: JwtPayload): Promise<User> {
 
 	let passwordHash = null;
 	if (user?.password) {
-		passwordHash = createHash('sha256')
-			.update(user.password.slice(user.password.length / 2))
-			.digest('hex');
+		passwordHash = createPasswordSha(user);
 	}
 
 	// currently only LDAP users during synchronization

packages/cli/src/controllers/passwordReset.controller.ts

@@ -1,5 +1,9 @@
+import { Response } from 'express';
+import { rateLimit } from 'express-rate-limit';
+import { Service } from 'typedi';
 import { IsNull, Not } from 'typeorm';
 import validator from 'validator';
+
 import { Get, Post, RestController } from '@/decorators';
 import {
 	BadRequestError,
@@ -14,23 +18,17 @@ import {
 	validatePassword,
 } from '@/UserManagement/UserManagementHelper';
 import { UserManagementMailer } from '@/UserManagement/email';
-
-import { Response } from 'express';
 import { PasswordResetRequest } from '@/requests';
-import { IExternalHooksClass, IInternalHooksClass } from '@/Interfaces';
 import { issueCookie } from '@/auth/jwt';
 import { isLdapEnabled } from '@/Ldap/helpers';
 import { isSamlCurrentAuthenticationMethod } from '@/sso/ssoHelpers';
 import { UserService } from '@/services/user.service';
 import { License } from '@/License';
-import { Container } from 'typedi';
 import { RESPONSE_ERROR_MESSAGES, inTest } from '@/constants';
-import { TokenExpiredError } from 'jsonwebtoken';
-import type { JwtPayload } from '@/services/jwt.service';
-import { JwtService } from '@/services/jwt.service';
 import { MfaService } from '@/Mfa/mfa.service';
 import { Logger } from '@/Logger';
-import { rateLimit } from 'express-rate-limit';
+import { ExternalHooks } from '@/ExternalHooks';
+import { InternalHooks } from '@/InternalHooks';
 
 const throttle = rateLimit({
 	windowMs: 5 * 60 * 1000, // 5 minutes
@@ -38,16 +36,17 @@ const throttle = rateLimit({
 	message: { message: 'Too many requests' },
 });
 
+@Service()
 @RestController()
 export class PasswordResetController {
 	constructor(
 		private readonly logger: Logger,
-		private readonly externalHooks: IExternalHooksClass,
-		private readonly internalHooks: IInternalHooksClass,
+		private readonly externalHooks: ExternalHooks,
+		private readonly internalHooks: InternalHooks,
 		private readonly mailer: UserManagementMailer,
 		private readonly userService: UserService,
-		private readonly jwtService: JwtService,
 		private readonly mfaService: MfaService,
+		private readonly license: License,
 	) {}
 
 	/**
@@ -92,7 +91,7 @@ export class PasswordResetController {
 			relations: ['authIdentities', 'globalRole'],
 		});
 
-		if (!user?.isOwner && !Container.get(License).isWithinUsersLimit()) {
+		if (!user?.isOwner && !this.license.isWithinUsersLimit()) {
 			this.logger.debug(
 				'Request to send password reset email failed because the user limit was reached',
 			);
@@ -123,29 +122,16 @@ export class PasswordResetController {
 			throw new UnprocessableRequestError('forgotPassword.ldapUserPasswordResetUnavailable');
 		}
 
-		const baseUrl = getInstanceBaseUrl();
+		const url = this.userService.generatePasswordResetUrl(user);
+
 		const { id, firstName, lastName } = user;
-
-		const resetPasswordToken = this.jwtService.signData(
-			{ sub: id },
-			{
-				expiresIn: '20m',
-			},
-		);
-
-		const url = this.userService.generatePasswordResetUrl(
-			baseUrl,
-			resetPasswordToken,
-			user.mfaEnabled,
-		);
-
 		try {
 			await this.mailer.passwordReset({
 				email,
 				firstName,
 				lastName,
 				passwordResetUrl: url,
-				domain: baseUrl,
+				domain: getInstanceBaseUrl(),
 			});
 		} catch (error) {
 			void this.internalHooks.onEmailFailed({
@@ -173,9 +159,9 @@ export class PasswordResetController {
 	 */
 	@Get('/resolve-password-token')
 	async resolvePasswordToken(req: PasswordResetRequest.Credentials) {
-		const { token: resetPasswordToken } = req.query;
+		const { token } = req.query;
 
-		if (!resetPasswordToken) {
+		if (!token) {
 			this.logger.debug(
 				'Request to resolve password token failed because of missing password reset token',
 				{
@@ -185,32 +171,17 @@ export class PasswordResetController {
 			throw new BadRequestError('');
 		}
 
-		const decodedToken = this.verifyResetPasswordToken(resetPasswordToken);
+		const user = await this.userService.resolvePasswordResetToken(token);
+		if (!user) throw new NotFoundError('');
 
-		const user = await this.userService.findOne({
-			where: { id: decodedToken.sub },
-			relations: ['globalRole'],
-		});
-
-		if (!user?.isOwner && !Container.get(License).isWithinUsersLimit()) {
+		if (!user?.isOwner && !this.license.isWithinUsersLimit()) {
 			this.logger.debug(
 				'Request to resolve password token failed because the user limit was reached',
-				{ userId: decodedToken.sub },
+				{ userId: user.id },
 			);
 			throw new UnauthorizedError(RESPONSE_ERROR_MESSAGES.USERS_QUOTA_REACHED);
 		}
 
-		if (!user) {
-			this.logger.debug(
-				'Request to resolve password token failed because no user was found for the provided user ID',
-				{
-					userId: decodedToken.sub,
-					resetPasswordToken,
-				},
-			);
-			throw new NotFoundError('');
-		}
-
 		this.logger.info('Reset-password token resolved successfully', { userId: user.id });
 		void this.internalHooks.onUserPasswordResetEmailClick({ user });
 	}
@@ -220,9 +191,9 @@ export class PasswordResetController {
 	 */
 	@Post('/change-password')
 	async changePassword(req: PasswordResetRequest.NewPassword, res: Response) {
-		const { token: resetPasswordToken, password, mfaToken } = req.body;
+		const { token, password, mfaToken } = req.body;
 
-		if (!resetPasswordToken || !password) {
+		if (!token || !password) {
 			this.logger.debug(
 				'Request to change password failed because of missing user ID or password or reset password token in payload',
 				{
@@ -234,22 +205,8 @@ export class PasswordResetController {
 
 		const validPassword = validatePassword(password);
 
-		const decodedToken = this.verifyResetPasswordToken(resetPasswordToken);
-
-		const user = await this.userService.findOne({
-			where: { id: decodedToken.sub },
-			relations: ['authIdentities', 'globalRole'],
-		});
-
-		if (!user) {
-			this.logger.debug(
-				'Request to resolve password token failed because no user was found for the provided user ID',
-				{
-					resetPasswordToken,
-				},
-			);
-			throw new NotFoundError('');
-		}
+		const user = await this.userService.resolvePasswordResetToken(token);
+		if (!user) throw new NotFoundError('');
 
 		if (user.mfaEnabled) {
 			if (!mfaToken) throw new BadRequestError('If MFA enabled, mfaToken is required.');
@@ -285,23 +242,4 @@ export class PasswordResetController {
 
 		await this.externalHooks.run('user.password.update', [user.email, passwordHash]);
 	}
-
-	private verifyResetPasswordToken(resetPasswordToken: string) {
-		let decodedToken: JwtPayload;
-		try {
-			decodedToken = this.jwtService.verifyToken(resetPasswordToken);
-			return decodedToken;
-		} catch (e) {
-			if (e instanceof TokenExpiredError) {
-				this.logger.debug('Reset password token expired', {
-					resetPasswordToken,
-				});
-				throw new NotFoundError('');
-			}
-			this.logger.debug('Error verifying token', {
-				resetPasswordToken,
-			});
-			throw new BadRequestError('');
-		}
-	}
 }

packages/cli/src/controllers/users.controller.ts

@@ -411,23 +411,8 @@ export class UsersController {
 			throw new NotFoundError('User not found');
 		}
 
-		const resetPasswordToken = this.jwtService.signData(
-			{ sub: user.id },
-			{
-				expiresIn: '1d',
-			},
-		);
-
-		const baseUrl = getInstanceBaseUrl();
-
-		const link = this.userService.generatePasswordResetUrl(
-			baseUrl,
-			resetPasswordToken,
-			user.mfaEnabled,
-		);
-		return {
-			link,
-		};
+		const link = this.userService.generatePasswordResetUrl(user);
+		return { link };
 	}
 
 	@Authorized(['global', 'owner'])

packages/cli/src/services/jwt.service.ts

@@ -10,8 +10,8 @@ export class JwtService {
 		return jwt.sign(payload, this.userManagementSecret, options);
 	}
 
-	public verifyToken(token: string, options: jwt.VerifyOptions = {}) {
-		return jwt.verify(token, this.userManagementSecret, options) as jwt.JwtPayload;
+	public verifyToken<T = JwtPayload>(token: string, options: jwt.VerifyOptions = {}) {
+		return jwt.verify(token, this.userManagementSecret, options) as T;
 	}
 }
 

packages/cli/src/services/user.service.ts

@@ -7,10 +7,18 @@ import { UserRepository } from '@/databases/repositories';
 import { getInstanceBaseUrl } from '@/UserManagement/UserManagementHelper';
 import type { PublicUser } from '@/Interfaces';
 import type { PostHogClient } from '@/posthog';
+import { type JwtPayload, JwtService } from './jwt.service';
+import { TokenExpiredError } from 'jsonwebtoken';
+import { Logger } from '@/Logger';
+import { createPasswordSha } from '@/auth/jwt';
 
 @Service()
 export class UserService {
-	constructor(private readonly userRepository: UserRepository) {}
+	constructor(
+		private readonly logger: Logger,
+		private readonly userRepository: UserRepository,
+		private readonly jwtService: JwtService,
+	) {}
 
 	async findOne(options: FindOneOptions<User>) {
 		return this.userRepository.findOne({ relations: ['globalRole'], ...options });
@@ -54,15 +62,57 @@ export class UserService {
 		return this.userRepository.update(userId, { settings: { ...settings, ...newSettings } });
 	}
 
-	generatePasswordResetUrl(instanceBaseUrl: string, token: string, mfaEnabled: boolean) {
+	generatePasswordResetToken(user: User, expiresIn = '20m') {
+		return this.jwtService.signData(
+			{ sub: user.id, passwordSha: createPasswordSha(user) },
+			{ expiresIn },
+		);
+	}
+
+	generatePasswordResetUrl(user: User) {
+		const instanceBaseUrl = getInstanceBaseUrl();
 		const url = new URL(`${instanceBaseUrl}/change-password`);
 
-		url.searchParams.append('token', token);
-		url.searchParams.append('mfaEnabled', mfaEnabled.toString());
+		url.searchParams.append('token', this.generatePasswordResetToken(user));
+		url.searchParams.append('mfaEnabled', user.mfaEnabled.toString());
 
 		return url.toString();
 	}
 
+	async resolvePasswordResetToken(token: string): Promise<User | undefined> {
+		let decodedToken: JwtPayload & { passwordSha: string };
+		try {
+			decodedToken = this.jwtService.verifyToken(token);
+		} catch (e) {
+			if (e instanceof TokenExpiredError) {
+				this.logger.debug('Reset password token expired', { token });
+			} else {
+				this.logger.debug('Error verifying token', { token });
+			}
+			return;
+		}
+
+		const user = await this.userRepository.findOne({
+			where: { id: decodedToken.sub },
+			relations: ['authIdentities', 'globalRole'],
+		});
+
+		if (!user) {
+			this.logger.debug(
+				'Request to resolve password token failed because no user was found for the provided user ID',
+				{ userId: decodedToken.sub, token },
+			);
+			return;
+		}
+
+		if (createPasswordSha(user) !== decodedToken.passwordSha) {
+			this.logger.debug('Password updated since this token was generated');
+			return;
+		}
+
+		return user;
+	}
+
 	async toPublic(user: User, options?: { withInviteUrl?: boolean; posthog?: PostHogClient }) {
 		const { password, updatedAt, apiKey, authIdentities, ...rest } = user;
 

packages/cli/test/integration/mfa/mfa.api.test.ts

@@ -1,14 +1,14 @@
+import Container from 'typedi';
 import config from '@/config';
 import * as Db from '@/Db';
 import type { Role } from '@db/entities/Role';
 import type { User } from '@db/entities/User';
-import * as testDb from './../shared/testDb';
-import * as utils from '../shared/utils';
 import { randomPassword } from '@/Ldap/helpers';
-import { randomDigit, randomString, randomValidPassword, uniqueId } from '../shared/random';
 import { TOTPService } from '@/Mfa/totp.service';
-import Container from 'typedi';
-import { JwtService } from '@/services/jwt.service';
+import { UserService } from '@/services/user.service';
+import { randomDigit, randomString, randomValidPassword, uniqueId } from '../shared/random';
+import * as testDb from '../shared/testDb';
+import * as utils from '../shared/utils';
 
 jest.mock('@/telemetry');
 
@@ -206,7 +206,7 @@ describe('Change password with MFA enabled', () => {
 	});
 
 	test('POST /change-password should fail due to missing MFA token', async () => {
-		const { user } = await testDb.createUserWithMfaEnabled();
+		await testDb.createUserWithMfaEnabled();
 
 		const newPassword = randomValidPassword();
 
@@ -216,11 +216,11 @@ describe('Change password with MFA enabled', () => {
 			.post('/change-password')
 			.send({ password: newPassword, token: resetPasswordToken });
 
-		expect(response.statusCode).toBe(400);
+		expect(response.statusCode).toBe(404);
 	});
 
 	test('POST /change-password should fail due to invalid MFA token', async () => {
-		const { user } = await testDb.createUserWithMfaEnabled();
+		await testDb.createUserWithMfaEnabled();
 
 		const newPassword = randomValidPassword();
 
@@ -232,7 +232,7 @@ describe('Change password with MFA enabled', () => {
 			mfaToken: randomDigit(),
 		});
 
-		expect(response.statusCode).toBe(400);
+		expect(response.statusCode).toBe(404);
 	});
 
 	test('POST /change-password should update password', async () => {
@@ -242,9 +242,7 @@ describe('Change password with MFA enabled', () => {
 
 		config.set('userManagement.jwtSecret', randomString(5, 10));
 
-		const jwtService = Container.get(JwtService);
-
-		const resetPasswordToken = jwtService.signData({ sub: user.id });
+		const resetPasswordToken = Container.get(UserService).generatePasswordResetToken(user);
 
 		const mfaToken = new TOTPService().generateTOTP(rawSecret);
 

packages/cli/test/integration/passwordReset.api.test.ts

@@ -1,8 +1,9 @@
 import { v4 as uuid } from 'uuid';
 import { compare } from 'bcryptjs';
 import { Container } from 'typedi';
-import { License } from '@/License';
+import { mock } from 'jest-mock-extended';
 
+import { License } from '@/License';
 import * as Db from '@/Db';
 import config from '@/config';
 import type { Role } from '@db/entities/Role';
@@ -10,6 +11,7 @@ import type { User } from '@db/entities/User';
 import { setCurrentAuthenticationMethod } from '@/sso/ssoHelpers';
 import { ExternalHooks } from '@/ExternalHooks';
 import { JwtService } from '@/services/jwt.service';
+import { UserService } from '@/services/user.service';
 import { UserManagementMailer } from '@/UserManagement/email';
 
 import * as utils from './shared/utils/';
@@ -33,6 +35,7 @@ const externalHooks = utils.mockInstance(ExternalHooks);
 const mailer = utils.mockInstance(UserManagementMailer, { isEmailSetUp: true });
 const testServer = utils.setupTestServer({ endpointGroups: ['passwordReset'] });
 const jwtService = Container.get(JwtService);
+let userService: UserService;
 
 beforeAll(async () => {
 	globalOwnerRole = await testDb.getGlobalOwnerRole();
@@ -45,6 +48,7 @@ beforeEach(async () => {
 	member = await testDb.createUser({ globalRole: globalMemberRole });
 	externalHooks.run.mockReset();
 	jest.replaceProperty(mailer, 'isEmailSetUp', true);
+	userService = Container.get(UserService);
 });
 
 describe('POST /forgot-password', () => {
@@ -127,7 +131,7 @@ describe('POST /forgot-password', () => {
 
 describe('GET /resolve-password-token', () => {
 	test('should succeed with valid inputs', async () => {
-		const resetPasswordToken = jwtService.signData({ sub: owner.id });
+		const resetPasswordToken = userService.generatePasswordResetToken(owner);
 
 		const response = await testServer.authlessAgent
 			.get('/resolve-password-token')
@@ -137,17 +141,15 @@ describe('GET /resolve-password-token', () => {
 	});
 
 	test('should fail with invalid inputs', async () => {
-		const first = await testServer.authlessAgent
+		await testServer.authlessAgent
 			.get('/resolve-password-token')
-			.query({ token: uuid() });
+			.query({ token: uuid() })
+			.expect(404);
 
-		const second = await testServer.authlessAgent
+		await testServer.authlessAgent
 			.get('/resolve-password-token')
-			.query({ userId: owner.id });
-
-		for (const response of [first, second]) {
-			expect(response.statusCode).toBe(400);
-		}
+			.query({ userId: owner.id })
+			.expect(400);
 	});
 
 	test('should fail if user is not found', async () => {
@@ -161,7 +163,18 @@ describe('GET /resolve-password-token', () => {
 	});
 
 	test('should fail if token is expired', async () => {
-		const resetPasswordToken = jwtService.signData({ sub: owner.id }, { expiresIn: '-1h' });
+		const resetPasswordToken = userService.generatePasswordResetToken(owner, '-1h');
+
+		const response = await testServer.authlessAgent
+			.get('/resolve-password-token')
+			.query({ userId: owner.id, token: resetPasswordToken });
+
+		expect(response.statusCode).toBe(404);
+	});
+
+	test('should fail after password has changed', async () => {
+		const updatedUser = mock<User>({ ...owner, password: 'another-password' });
+		const resetPasswordToken = userService.generatePasswordResetToken(updatedUser);
 
 		const response = await testServer.authlessAgent
 			.get('/resolve-password-token')
@@ -175,7 +188,7 @@ describe('POST /change-password', () => {
 	const passwordToStore = randomValidPassword();
 
 	test('should succeed with valid inputs', async () => {
-		const resetPasswordToken = jwtService.signData({ sub: owner.id });
+		const resetPasswordToken = userService.generatePasswordResetToken(owner);
 		const response = await testServer.authlessAgent.post('/change-password').send({
 			token: resetPasswordToken,
 			userId: owner.id,
@@ -202,7 +215,7 @@ describe('POST /change-password', () => {
 	});
 
 	test('should fail with invalid inputs', async () => {
-		const resetPasswordToken = jwtService.signData({ sub: owner.id });
+		const resetPasswordToken = userService.generatePasswordResetToken(owner);
 
 		const invalidPayloads = [
 			{ token: uuid() },
@@ -236,7 +249,7 @@ describe('POST /change-password', () => {
 	});
 
 	test('should fail when token has expired', async () => {
-		const resetPasswordToken = jwtService.signData({ sub: owner.id }, { expiresIn: '-1h' });
+		const resetPasswordToken = userService.generatePasswordResetToken(owner, '-1h');
 
 		const response = await testServer.authlessAgent.post('/change-password').send({
 			token: resetPasswordToken,
@@ -252,7 +265,7 @@ describe('POST /change-password', () => {
 	test('owner should be able to reset its password when quota:users = 1', async () => {
 		jest.spyOn(Container.get(License), 'getUsersLimit').mockReturnValueOnce(1);
 
-		const resetPasswordToken = jwtService.signData({ sub: owner.id });
+		const resetPasswordToken = userService.generatePasswordResetToken(owner);
 		const response = await testServer.authlessAgent.post('/change-password').send({
 			token: resetPasswordToken,
 			userId: owner.id,
@@ -281,7 +294,7 @@ describe('POST /change-password', () => {
 	test('member should not be able to reset its password when quota:users = 1', async () => {
 		jest.spyOn(Container.get(License), 'getUsersLimit').mockReturnValueOnce(1);
 
-		const resetPasswordToken = jwtService.signData({ sub: member.id });
+		const resetPasswordToken = userService.generatePasswordResetToken(member);
 		const response = await testServer.authlessAgent.post('/change-password').send({
 			token: resetPasswordToken,
 			userId: member.id,

packages/cli/test/integration/shared/utils/testServer.ts

@@ -236,19 +236,7 @@ export const setupTestServer = ({
 						registerController(app, config, Container.get(MeController));
 						break;
 					case 'passwordReset':
-						registerController(
-							app,
-							config,
-							new PasswordResetController(
-								logger,
-								externalHooks,
-								internalHooks,
-								mailer,
-								userService,
-								Container.get(JwtService),
-								mfaService,
-							),
-						);
+						registerController(app, config, Container.get(PasswordResetController));
 						break;
 					case 'owner':
 						registerController(

packages/cli/test/unit/services/user.service.test.ts

@@ -0,0 +1,73 @@
+import Container from 'typedi';
+import jwt from 'jsonwebtoken';
+import { Logger } from '@/Logger';
+import config from '@/config';
+import { User } from '@db/entities/User';
+import { UserRepository } from '@db/repositories';
+import { UserService } from '@/services/user.service';
+import { mockInstance } from '../../integration/shared/utils';
+
+describe('UserService', () => {
+	config.set('userManagement.jwtSecret', 'random-secret');
+
+	mockInstance(Logger);
+	const repository = mockInstance(UserRepository);
+	const service = Container.get(UserService);
+	const testUser = Object.assign(new User(), {
+		id: '1234',
+		password: 'passwordHash',
+		mfaEnabled: false,
+	});
+
+	beforeEach(() => {
+		jest.resetAllMocks();
+	});
+
+	describe('generatePasswordResetToken', () => {
+		it('should generate valid password-reset tokens', () => {
+			const token = service.generatePasswordResetToken(testUser);
+			const decoded = jwt.decode(token) as jwt.JwtPayload;
+			expect(decoded.sub).toEqual(testUser.id);
+			expect(decoded.exp! - decoded.iat!).toEqual(1200); // Expires in 20 minutes
+			expect(decoded.passwordSha).toEqual(
+				'31513c5a9e3c5afe5c06d5675ace74e8bc3fadd9744ab5d89c311f2a62ccbd39',
+			);
+		});
+	});
+
+	describe('resolvePasswordResetToken', () => {
+		it('should not return a user if the token in invalid', async () => {
+			const user = await service.resolvePasswordResetToken('invalid-token');
+			expect(user).toBeUndefined();
+		});
+
+		it('should not return a user if the token in expired', async () => {
+			const token = service.generatePasswordResetToken(testUser, '-1h');
+			const user = await service.resolvePasswordResetToken(token);
+			expect(user).toBeUndefined();
+		});
+
+		it('should not return a user if the user does not exist in the DB', async () => {
+			repository.findOne.mockResolvedValueOnce(null);
+			const token = service.generatePasswordResetToken(testUser);
+			const user = await service.resolvePasswordResetToken(token);
+			expect(user).toBeUndefined();
+		});
+
+		it('should not return a user if the password sha does not match', async () => {
+			const token = service.generatePasswordResetToken(testUser);
+			const updatedUser = Object.create(testUser);
+			updatedUser.password = 'something-else';
+			repository.findOne.mockResolvedValueOnce(updatedUser);
+			const user = await service.resolvePasswordResetToken(token);
+			expect(user).toBeUndefined();
+		});
+
+		it('should not return the user if all checks pass', async () => {
+			const token = service.generatePasswordResetToken(testUser);
+			repository.findOne.mockResolvedValueOnce(testUser);
+			const user = await service.resolvePasswordResetToken(token);
+			expect(user).toEqual(testUser);
+		});
+	});
+});

packages/editor-ui/src/plugins/i18n/locales/en.json

@@ -93,7 +93,7 @@
 	"auth.changePassword.passwordUpdatedMessage": "You can now sign in with your new password",
 	"auth.changePassword.passwordsMustMatchError": "Passwords must match",
 	"auth.changePassword.reenterNewPassword": "Re-enter new password",
-	"auth.changePassword.tokenValidationError": "Issue validating invite token",
+	"auth.changePassword.tokenValidationError": "Invalid password-reset token",
 	"auth.defaultPasswordRequirements": "8+ characters, at least 1 number and 1 capital letter",
 	"auth.validation.missingParameters": "Missing token or user id",
 	"auth.email": "Email",

packages/editor-ui/src/views/ChangePasswordView.vue

@@ -103,10 +103,8 @@ export default defineComponent({
 
 			await this.usersStore.validatePasswordToken({ token });
 		} catch (e) {
-			this.showMessage({
-				title: this.$locale.baseText('auth.changePassword.tokenValidationError'),
-				type: 'error',
-			});
+			this.showError(e, this.$locale.baseText('auth.changePassword.tokenValidationError'));
+			void this.$router.replace({ name: VIEWS.SIGNIN });
 		}
 	},
 	methods: {

packages/editor-ui/src/views/SignupView.vue

@@ -121,7 +121,7 @@ export default defineComponent({
 		async onSubmit(values: { [key: string]: string | boolean }) {
 			if (!this.inviterId || !this.inviteeId) {
 				this.showError(
-					new Error(this.$locale.baseText('auth.changePassword.tokenValidationError')),
+					new Error(this.$locale.baseText('auth.signup.tokenValidationError')),
 					this.$locale.baseText('auth.signup.setupYourAccountError'),
 				);
 				return;