# HG changeset patch # User Matthew Wild # Date 1738837470 0 # Node ID e977174082ee31b7beac26e779cad99f00ba6b22 # Parent 76ae646563eae841d26abfe02ba958ebcd797faf mod_invites_register_api: Use set_password() for password resets Previously the code relied on the (weird) behaviour of create_user(), which would update the password for a user account if it already existed. This has several issues, and we plan to deprecate this behaviour of create_user(). The larger issue is that this route does not trigger the user-password-changed event, which can be a security problem. For example, it did not disconnect existing user sessions (this occurs in mod_c2s in response to the event). Switching to set_password() is the right thing to do diff -r 76ae646563ea -r e977174082ee mod_invites_register_api/mod_invites_register_api.lua --- a/mod_invites_register_api/mod_invites_register_api.lua Thu Feb 06 10:23:08 2025 +0000 +++ b/mod_invites_register_api/mod_invites_register_api.lua Thu Feb 06 10:24:30 2025 +0000 @@ -75,39 +75,45 @@ if reset_for ~= prepped_username then return 403; -- Attempt to use reset invite for incorrect user end + local ok, err = usermanager.set_password(prepped_username, password, module.host); + if not ok then + module:log("error", "Unable to reset password for %s@%s: %s", prepped_username, module.host, err); + return 500; + end + module:fire_event("user-password-reset", user); elseif usermanager.user_exists(prepped_username, module.host) then return 409; -- Conflict - end + else + local registering = { + validated_invite = invite; + username = prepped_username; + host = module.host; + ip = request.ip; + allowed = true; + }; - local registering = { - validated_invite = invite; - username = prepped_username; - host = module.host; - ip = request.ip; - allowed = true; - }; + module:fire_event("user-registering", registering); - module:fire_event("user-registering", registering); - - if not registering.allowed then - return 403; - end + if not registering.allowed then + return 403; + end - local ok, err = usermanager.create_user(prepped_username, password, module.host); + local ok, err = usermanager.create_user(prepped_username, password, module.host); - if not ok then - local err_id = id.short(); - module:log("warn", "Registration failed (%s): %s", err_id, tostring(err)); - return 500; - end + if not ok then + local err_id = id.short(); + module:log("warn", "Registration failed (%s): %s", err_id, tostring(err)); + return 500; + end - module:fire_event("user-registered", { - username = prepped_username; - host = module.host; - source = "mod_"..module.name; - validated_invite = invite; - ip = request.ip; - }); + module:fire_event("user-registered", { + username = prepped_username; + host = module.host; + source = "mod_"..module.name; + validated_invite = invite; + ip = request.ip; + }); + end return json.encode({ jid = prepped_username .. "@" .. module.host;