With JWT password reset token can be used more than once

[velascopja]

It would be great if activator checks that the reset password token can be used only once.

As you suggest in issue #67, including the hash of the current password in the reset password token sounds great to me.

[deitch]

Yes, we need to ensure it is used only once. When we didn't have JWT, we depended on a particular database structure. While that had significant downsides, one upside was that we could check if a reset token had been used. With JWT, we do not, which can be an issue.

Current suggestion is to include the first part of the existing hashed password - or even some algorithm generated by it - in the JWT itself, so that if it doesn't match, we reject it.

[deitch]

Hmm, not so simple. We actually no longer get the existing password from user.find(), which is good, but eliminates using that as a seed.

Essentially, we are trying to use a per-reset nonce to prevent a replay attack. We need somewhere to store that nonce so we can validate it just for this request, or reliably generate it as just once. Without some persistent storage - which activator does not have - it does get challenging.