From b8028b218254a1cfd1801f07af68bf0bce46eed5 Mon Sep 17 00:00:00 2001 From: Daniel Date: Sun, 5 Jul 2026 01:02:25 +1000 Subject: [PATCH] refactor: Document intentional expired-token match in password reset resend flow --- src/Routers/UsersRouter.js | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js index d3a3603dfc..6a25f31829 100644 --- a/src/Routers/UsersRouter.js +++ b/src/Routers/UsersRouter.js @@ -578,6 +578,12 @@ export class UsersRouter extends ClassesRouter { // We can find the user using token if (token) { + // Match only EXPIRED tokens (`$lt` now) on purpose. This branch powers the + // "resend password reset email" flow: when a reset link has expired, PagesRouter + // preserves the expired token on the link-expired page, and the user resends from + // it to get a fresh token + email. A still-valid token needs no resend. Do NOT + // change `$lt` to `$gt` — that breaks this flow and the + // 'can resend email using an expired reset password token' spec. (#9935) userResults = await req.config.database.find('_User', { _perishable_token: token, _perishable_token_expires_at: { $lt: Parse._encode(new Date()) },