Defense in depth: validate CSRF token when starting password reset flow (could be DoS bug at worse, allowing removal of an existing account's ability to log in; would not have revealed the reset code to the caller; cookie security would have prevented this POST)

petergeneric · petergeneric · commit c5395ee412a0 · 2026-04-13T23:55:53.000+01:00
diff --git a/user-manager/service/src/main/java/com/peterphi/usermanager/ui/impl/UserUIServiceImpl.java b/user-manager/service/src/main/java/com/peterphi/usermanager/ui/impl/UserUIServiceImpl.java
@@ -273,6 +273,8 @@ public Response changePassword(final int userId,
 	@AuthConstraint(role = UserLogin.ROLE_ADMIN)
 	public Response startPasswordResetFlow(final int userId, final String token)
 	{
+		tokenStore.validate(TOKEN_USE, token);
+
 		final String resetCode = passwordResetService.start(userId);
 
 		TemplateCall call = templater.template("reset_password_flow_started");

Original file line number	Diff line number	Diff line change
`@@ -273,6 +273,8 @@ public Response changePassword(final int userId,`
`273`	`273`	`@AuthConstraint(role = UserLogin.ROLE_ADMIN)`
`274`	`274`	`public Response startPasswordResetFlow(final int userId, final String token)`
`275`	`275`	`{`
	`276`	`+ tokenStore.validate(TOKEN_USE, token);`
	`277`	`+`
`276`	`278`	`final String resetCode = passwordResetService.start(userId);`
`277`	`279`
`278`	`280`	`TemplateCall call = templater.template("reset_password_flow_started");`