Add email query param to reset code path

This reduces any attack surface
2018-06-12 17:22:41 -07:00
parent 5a6ea33694
commit 32e6b9024c
8 changed files with 68 additions and 27 deletions
@@ -29,6 +29,7 @@ app.controller('Controller', ['$scope', function ($scope) {
        <form action="/api/v1/session/account/setup" method="post" name="setupForm" autocomplete="off" role="form" novalidate>
          <input type="password" style="display: none;">
          <input type="hidden" name="_csrf" value="<%= csrf %>"/>
+          <input type="hidden" name="email" value="<%= email %>"/>
          <input type="hidden" name="resetToken" value="<%= resetToken %>"/>

          <center><p class="has-error"><%= error %></p></center>
@@ -26,6 +26,7 @@ app.controller('Controller', [function () {}]);
        <form action="/api/v1/session/password/reset" method="post" name="resetForm" autocomplete="off" role="form" novalidate>
          <input type="password" style="display: none;">
          <input type="hidden" name="_csrf" value="<%= csrf %>"/>
+          <input type="hidden" name="email" value="<%= email %>"/>
          <input type="hidden" name="resetToken" value="<%= resetToken %>"/>

          <div class="form-group" ng-class="{ 'has-error': resetForm.password.$dirty && resetForm.password.$invalid }">