12419 fix rerequesting pwd reset after an approved request has expired

[giregk]

https://github.com/rgsystemes/kb/issues/12419

[Copilot]

Pull request overview

This PR adjusts the password reset request flow to avoid reusing expired password reset authorizations by filtering out expired reset_token_expiration_date records at query time, and removes the previous “expired token” handling branches in the route handler.

Changes:

• Filters the password_reset_request lookup to only return requests with a non-expired reset_token_expiration_date (or NULL).
• Removes the server-side logic that regenerated tokens / restarted requests when an existing request was expired.

Comments suppressed due to low confidence (1)

src/api2/routes/passwordReset/requestPasswordReset.ts:133

• When manual validation is disabled, resetRequest can still be a PENDING_ADMIN_CHECK row (or any non-COMPLETED row) because the earlier SELECT does not filter by status/reset_token and explicitly allows reset_token_expiration_date IS NULL. In that case resetRequest.reset_token / resetRequest.reset_token_expiration_date may be null, but sendPasswordResetRequestEmail() requires a non-null token and a Date expiration, so this path can throw (or send a malformed email) instead of generating a new token.

      } else {
        await sendPasswordResetRequestEmail(
          safeBody.userEmail,
          authDbRes.rows[0].device_name,
          resetRequest.reset_token,
          resetRequest.reset_token_expiration_date,
          acceptLanguage,
        );

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.