fix: password reset token (#4743)

packages/backend/server/src/modules/auth/resolver.ts

@@ -135,12 +135,13 @@ export class AuthResolver {
     @Args('token') token: string,
     @Args('newPassword') newPassword: string
   ) {
-    const id = await this.session.get(token);
-    if (!id || id !== user.id) {
+    // we only create user account after user sign in with email link
+    const email = await this.session.get(token);
+    if (!email || email !== user.email || !user.emailVerified) {
       throw new ForbiddenException('Invalid token');
     }
 
-    await this.auth.changePassword(id, newPassword);
+    await this.auth.changePassword(email, newPassword);
     await this.session.delete(token);
 
     return user;

packages/backend/server/src/modules/auth/service.ts

@@ -233,10 +233,13 @@ export class AuthService {
     return Boolean(user.password);
   }
 
-  async changePassword(id: string, newPassword: string): Promise<User> {
+  async changePassword(email: string, newPassword: string): Promise<User> {
     const user = await this.prisma.user.findUnique({
       where: {
-        id,
+        email,
+        emailVerified: {
+          not: null,
+        },
       },
     });
 
@@ -248,7 +251,7 @@ export class AuthService {
 
     return this.prisma.user.update({
       where: {
-        id,
+        id: user.id,
       },
       data: {
         password: hashedPassword,