From 1c79579ff6720c6771a31be9c6d8262a6b6dc2e8 Mon Sep 17 00:00:00 2001 From: christopherholland-workday Date: Wed, 4 Mar 2026 13:13:47 -0800 Subject: [PATCH 1/4] Fix Reset Password Auth Bypass --- .../server/src/enterprise/database/entities/user.entity.ts | 2 +- packages/server/src/enterprise/services/account.service.ts | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/packages/server/src/enterprise/database/entities/user.entity.ts b/packages/server/src/enterprise/database/entities/user.entity.ts index 3bb455aefda..3e02cf59b69 100644 --- a/packages/server/src/enterprise/database/entities/user.entity.ts +++ b/packages/server/src/enterprise/database/entities/user.entity.ts @@ -30,7 +30,7 @@ export class User { @Column({ type: 'text', nullable: true, unique: true }) tempToken?: string | null - @CreateDateColumn({ nullable: true }) + @Column({ type: 'datetime', nullable: true, default: null }) tokenExpiry?: Date | null @Column({ type: 'varchar', length: 20, default: UserStatus.UNVERIFIED }) diff --git a/packages/server/src/enterprise/services/account.service.ts b/packages/server/src/enterprise/services/account.service.ts index ae79e223694..b509750cffd 100644 --- a/packages/server/src/enterprise/services/account.service.ts +++ b/packages/server/src/enterprise/services/account.service.ts @@ -568,9 +568,11 @@ export class AccountService { const queryRunner = this.dataSource.createQueryRunner() await queryRunner.connect() try { + if (!data.user.tempToken) throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, UserErrorMessage.INVALID_TEMP_TOKEN) + const user = await this.userService.readUserByEmail(data.user.email, queryRunner) if (!user) throw new InternalFlowiseError(StatusCodes.NOT_FOUND, UserErrorMessage.USER_NOT_FOUND) - if (user.tempToken !== data.user.tempToken) + if (!user.tempToken || user.tempToken !== data.user.tempToken) throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, UserErrorMessage.INVALID_TEMP_TOKEN) const tokenExpiry = user.tokenExpiry @@ -592,7 +594,7 @@ export class AccountService { const hash = bcrypt.hashSync(password, salt) data.user = user data.user.credential = hash - data.user.tempToken = '' + data.user.tempToken = null data.user.tokenExpiry = undefined data.user.status = UserStatus.ACTIVE From fed7fb3804479694f4a209e1c9a0895d5e6a4b4b Mon Sep 17 00:00:00 2001 From: christopherholland-workday Date: Wed, 4 Mar 2026 13:35:11 -0800 Subject: [PATCH 2/4] Fix auth bypass in password reset --- packages/server/src/enterprise/services/account.service.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/server/src/enterprise/services/account.service.ts b/packages/server/src/enterprise/services/account.service.ts index b509750cffd..32a16a798b5 100644 --- a/packages/server/src/enterprise/services/account.service.ts +++ b/packages/server/src/enterprise/services/account.service.ts @@ -576,6 +576,8 @@ export class AccountService { throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, UserErrorMessage.INVALID_TEMP_TOKEN) const tokenExpiry = user.tokenExpiry + if (!tokenExpiry) throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, UserErrorMessage.INVALID_TEMP_TOKEN) + const now = moment() const expiryInMins = process.env.PASSWORD_RESET_TOKEN_EXPIRY_IN_MINUTES ? parseInt(process.env.PASSWORD_RESET_TOKEN_EXPIRY_IN_MINUTES) From 7d1e199f28ef5130bd5ff07d6545f3fb00242e08 Mon Sep 17 00:00:00 2001 From: christopherholland-workday Date: Wed, 4 Mar 2026 14:03:32 -0800 Subject: [PATCH 3/4] Fix unauthorized password reset --- packages/server/src/enterprise/services/account.service.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/server/src/enterprise/services/account.service.ts b/packages/server/src/enterprise/services/account.service.ts index 32a16a798b5..ae6ae424ab1 100644 --- a/packages/server/src/enterprise/services/account.service.ts +++ b/packages/server/src/enterprise/services/account.service.ts @@ -517,7 +517,7 @@ export class AccountService { const user = await this.userService.readUserByToken(data.user.tempToken, queryRunner) if (!user) throw new InternalFlowiseError(StatusCodes.NOT_FOUND, UserErrorMessage.USER_NOT_FOUND) data.user = user - data.user.tempToken = '' + data.user.tempToken = null data.user.tokenExpiry = null data.user.status = UserStatus.ACTIVE data.user = await this.userService.saveUser(data.user, queryRunner) From 9f205061229ba2bd5465d6264aaf727117692f9b Mon Sep 17 00:00:00 2001 From: christopherholland-workday Date: Fri, 6 Mar 2026 09:08:58 -0800 Subject: [PATCH 4/4] Update packages/server/src/enterprise/services/account.service.ts Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- packages/server/src/enterprise/services/account.service.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/server/src/enterprise/services/account.service.ts b/packages/server/src/enterprise/services/account.service.ts index ae6ae424ab1..f803411886a 100644 --- a/packages/server/src/enterprise/services/account.service.ts +++ b/packages/server/src/enterprise/services/account.service.ts @@ -597,7 +597,7 @@ export class AccountService { data.user = user data.user.credential = hash data.user.tempToken = null - data.user.tokenExpiry = undefined + data.user.tokenExpiry = null data.user.status = UserStatus.ACTIVE await queryRunner.startTransaction()