Fix/15429 forgotpasswordresetapi session management (#17390)

api/controllers/console/auth/forgot_password.py

@@ -99,44 +99,57 @@ class ForgotPasswordResetApi(Resource):
         parser.add_argument("password_confirm", type=valid_password, required=True, nullable=False, location="json")
         args = parser.parse_args()
 
-        new_password = args["new_password"]
+        # Validate passwords match
-        password_confirm = args["password_confirm"]
+        if args["new_password"] != args["password_confirm"]:
-
-        if str(new_password).strip() != str(password_confirm).strip():
             raise PasswordMismatchError()
 
-        token = args["token"]
+        # Validate token and get reset data
-        reset_data = AccountService.get_reset_password_data(token)
+        reset_data = AccountService.get_reset_password_data(args["token"])
-
+        if not reset_data:
-        if reset_data is None:
             raise InvalidTokenError()
 
-        AccountService.revoke_reset_password_token(token)
+        # Revoke token to prevent reuse
+        AccountService.revoke_reset_password_token(args["token"])
 
+        # Generate secure salt and hash password
         salt = secrets.token_bytes(16)
-        base64_salt = base64.b64encode(salt).decode()
+        password_hashed = hash_password(args["new_password"], salt)
 
-        password_hashed = hash_password(new_password, salt)
+        email = reset_data.get("email", "")
-        base64_password_hashed = base64.b64encode(password_hashed).decode()
 
         with Session(db.engine) as session:
-            account = session.execute(select(Account).filter_by(email=reset_data.get("email"))).scalar_one_or_none()
+            account = session.execute(select(Account).filter_by(email=email)).scalar_one_or_none()
+
             if account:
-            account.password = base64_password_hashed
+                self._update_existing_account(account, password_hashed, salt, session)
-            account.password_salt = base64_salt
+            else:
-            db.session.commit()
+                self._create_new_account(email, args["password_confirm"])
-            tenant = TenantService.get_join_tenants(account)
+
-            if not tenant and not FeatureService.get_system_features().is_allow_create_workspace:
+        return {"result": "success"}
+
+    def _update_existing_account(self, account, password_hashed, salt, session):
+        # Update existing account credentials
+        account.password = base64.b64encode(password_hashed).decode()
+        account.password_salt = base64.b64encode(salt).decode()
+        session.commit()
+
+        # Create workspace if needed
+        if (
+            not TenantService.get_join_tenants(account)
+            and FeatureService.get_system_features().is_allow_create_workspace
+        ):
             tenant = TenantService.create_tenant(f"{account.name}'s Workspace")
             TenantService.create_tenant_member(tenant, account, role="owner")
             account.current_tenant = tenant
             tenant_was_created.send(tenant)
-        else:
+
+    def _create_new_account(self, email, password):
+        # Create new account if allowed
         try:
-                account = AccountService.create_account_and_tenant(
+            AccountService.create_account_and_tenant(
-                    email=reset_data.get("email", ""),
+                email=email,
-                    name=reset_data.get("email", ""),
+                name=email,
-                    password=password_confirm,
+                password=password,
                 interface_language=languages[0],
             )
         except WorkSpaceNotAllowedCreateError:
@@ -144,8 +157,6 @@ class ForgotPasswordResetApi(Resource):
         except AccountRegisterError:
             raise AccountInFreezeError()
 
-        return {"result": "success"}
-
 
 api.add_resource(ForgotPasswordSendEmailApi, "/forgot-password")
 api.add_resource(ForgotPasswordCheckApi, "/forgot-password/validity")