From ae61922318fdddd2ee7f436486500dc0dc490bc7 Mon Sep 17 00:00:00 2001 From: gbrodman Date: Mon, 22 Jun 2026 13:33:17 -0400 Subject: [PATCH] Use existing pw reset code if creating from an existing instance (#3091) this means that modifying requests changes them in place in the db --- .../registry/model/console/PasswordResetRequest.java | 4 +++- .../server/console/PasswordResetVerifyActionTest.java | 10 ++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/core/src/main/java/google/registry/model/console/PasswordResetRequest.java b/core/src/main/java/google/registry/model/console/PasswordResetRequest.java index 11662e95e..eab5b603d 100644 --- a/core/src/main/java/google/registry/model/console/PasswordResetRequest.java +++ b/core/src/main/java/google/registry/model/console/PasswordResetRequest.java @@ -118,7 +118,9 @@ public class PasswordResetRequest extends ImmutableObject implements Buildable { checkArgumentNotNull(getInstance().requester, "Requester must be specified"); checkArgumentNotNull(getInstance().destinationEmail, "Destination email must be specified"); checkArgumentNotNull(getInstance().registrarId, "Registrar ID must be specified"); - getInstance().verificationCode = UUID.randomUUID().toString(); + if (getInstance().verificationCode == null) { + getInstance().verificationCode = UUID.randomUUID().toString(); + } return super.build(); } diff --git a/core/src/test/java/google/registry/ui/server/console/PasswordResetVerifyActionTest.java b/core/src/test/java/google/registry/ui/server/console/PasswordResetVerifyActionTest.java index 97b577258..954bc5536 100644 --- a/core/src/test/java/google/registry/ui/server/console/PasswordResetVerifyActionTest.java +++ b/core/src/test/java/google/registry/ui/server/console/PasswordResetVerifyActionTest.java @@ -85,6 +85,16 @@ public class PasswordResetVerifyActionTest extends ConsoleActionBaseTestCase { .isTrue(); } + @Test + void testFailure_post_replay() throws Exception { + createAction("POST", verificationCode, "newPassword1").run(); + assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_OK); + + // Attempting to reuse the same code should fail + createAction("POST", verificationCode, "newPassword2").run(); + assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST); + } + @Test void testFailure_get_invalidVerificationCode() throws Exception { createAction("GET", "invalid", null).run();