Invalidate reset code once used

packages/backend-core/src/cache/passwordReset.ts

@@ -1,6 +1,6 @@
 import * as redis from "../redis/init"
 import * as utils from "../utils"
-import { Duration, DurationType } from "../utils"
+import { Duration } from "../utils"
 
 const TTL_SECONDS = Duration.fromHours(1).toSeconds()
 
@@ -36,3 +36,12 @@ export async function getCode(code: string): Promise<PasswordReset> {
   }
   return value
 }
+
+/**
+ * Given a reset code this will invalidate it.
+ * @param code The code provided via the email link.
+ */
+export async function invalidateCode(code: string): Promise<void> {
+  const client = await redis.getPasswordResetClient()
+  await client.delete(code)
+}

packages/worker/src/sdk/auth/auth.ts

@@ -79,6 +79,8 @@ export const resetUpdate = async (resetCode: string, password: string) => {
   user.password = password
   user = await userSdk.db.save(user)
 
+  await cache.passwordReset.invalidateCode(resetCode)
+
   // remove password from the user before sending events
   delete user.password
   await events.user.passwordReset(user)