From 709849d4085123341e759181cf3c2882ecdcb908 Mon Sep 17 00:00:00 2001
From: MUH <58882014+muhammedBkf@users.noreply.github.com>
Date: Tue, 26 Nov 2024 11:32:12 +0100
Subject: [PATCH] Fix: explicitly load `resetTokenExpireTime` in password reset
 (#109)

* explicitly load `resetTokenExpireTime` in password reset

* add sensitive attributes when loading the user in password reset
---
 helpers/users_helper.rb | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/helpers/users_helper.rb b/helpers/users_helper.rb
index fbb10d92..92dccc84 100644
--- a/helpers/users_helper.rb
+++ b/helpers/users_helper.rb
@@ -38,12 +38,10 @@ def token(len)
       end
 
       def reset_password(email, username, token)
-        user = LinkedData::Models::User.where(email: email, username: username).include(User.goo_attrs_to_load(includes_param)).first
+        user = LinkedData::Models::User.where(email: email, username: username).include(User.goo_attrs_to_load(includes_param) + [:resetToken, :passwordHash, :resetTokenExpireTime]).first
 
         error 404, "User not found" unless user
 
-        user.bring(:resetToken)
-        user.bring(:passwordHash)
         user.show_apikey = true
         token_accepted = token.eql?(user.resetToken)
         if token_accepted