Merge pull request #83 from Promptly-Technologies-LLC/41-make-sure-we-correctly-handle-password-reset-from-logged-in-users

chriscarrollsmith · web-flow · commit 10db84d64251 · 2025-01-02T09:31:54.000-05:00
41 make sure we correctly handle password reset from logged in users
diff --git a/main.py b/main.py
@@ -194,9 +194,7 @@ async def read_forgot_password(
     params: dict = Depends(common_unauthenticated_parameters),
     show_form: Optional[str] = "true",
 ):
-    if params["user"]:
-        return RedirectResponse(url="/dashboard", status_code=302)
-    params["show_form"] = show_form
+    params["show_form"] = show_form == "true"
 
     return templates.TemplateResponse(params["request"], "authentication/forgot_password.html", params)
 
diff --git a/routers/authentication.py b/routers/authentication.py
@@ -1,8 +1,9 @@
 # auth.py
 from logging import getLogger
 from typing import Optional
+from urllib.parse import urlparse
 from datetime import datetime
-from fastapi import APIRouter, Depends, HTTPException, BackgroundTasks, Form
+from fastapi import APIRouter, Depends, HTTPException, BackgroundTasks, Form, Request
 from fastapi.responses import RedirectResponse
 from pydantic import BaseModel, EmailStr, ConfigDict
 from sqlmodel import Session, select
@@ -300,6 +301,7 @@ async def refresh_token(
 @router.post("/forgot_password")
 async def forgot_password(
     background_tasks: BackgroundTasks,
+    request: Request,
     user: UserForgotPassword = Depends(UserForgotPassword.as_form),
     session: Session = Depends(get_session)
 ):
@@ -309,7 +311,14 @@ async def forgot_password(
     if db_user:
         background_tasks.add_task(send_reset_email, user.email, session)
 
-    return RedirectResponse(url="/forgot_password?show_form=false", status_code=303)
+    # Get the referer header, default to /forgot_password if not present
+    referer = request.headers.get("referer", "/forgot_password")
+
+    # Extract the path from the full URL
+    redirect_path = urlparse(referer).path
+
+    # Add the query parameter to the redirect path
+    return RedirectResponse(url=f"{redirect_path}?show_form=false", status_code=303)
 
 
 @router.post("/reset_password")
diff --git a/templates/users/profile.html b/templates/users/profile.html
@@ -93,11 +93,15 @@ <h1 class="mb-4">User Profile</h1>
             Change Password
         </div>
         <div class="card-body">
+            {% if show_form %}
             <form action="{{ url_for('forgot_password') }}" method="post">
                 <input type="hidden" name="email" value="{{ user.email }}">
                 <p>To change your password, please confirm your email. A password reset link will be sent to your email address.</p>
                 <button type="submit" class="btn btn-primary">Send Password Reset Email</button>
             </form>
+            {% else %}
+            <p>A password reset link has been sent to your email address. Note that you can request a password reset only once an hour. If you have not received an email, please check your spam folder or try again later.</p>
+            {% endif %}
         </div>
     </div>
 
