From a67898464883803d2d0bf8eec42dd9a79c6b6548 Mon Sep 17 00:00:00 2001
From: nd <git@notandy.de>
Date: Fri, 7 Aug 2020 12:10:03 +0200
Subject: [PATCH] closes !2: only allow one valid token per kind at any given
 time

---
 uffd/selfservice/views.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/uffd/selfservice/views.py b/uffd/selfservice/views.py
index 73980178..1524fe98 100644
--- a/uffd/selfservice/views.py
+++ b/uffd/selfservice/views.py
@@ -110,7 +110,8 @@ def token_mail(token):
 def send_mail_verification(loginname, newmail):
 	session = db.session
 	expired_tokens = MailToken.query.filter(MailToken.created < (datetime.datetime.now() - datetime.timedelta(days=2))).all()
-	for i in expired_tokens:
+	duplicate_tokens = MailToken.query.filter(MailToken.loginname == loginname).all()
+	for i in expired_tokens + duplicate_tokens:
 		session.delete(i)
 	token = MailToken()
 	token.loginname = loginname
@@ -128,7 +129,8 @@ def send_mail_verification(loginname, newmail):
 def send_passwordreset(loginname):
 	session = db.session
 	expired_tokens = PasswordToken.query.filter(PasswordToken.created < (datetime.datetime.now() - datetime.timedelta(days=2))).all()
-	for i in expired_tokens:
+	duplicate_tokens = PasswordToken.query.filter(PasswordToken.loginname == loginname).all()
+	for i in expired_tokens + duplicate_tokens:
 		session.delete(i)
 	token = PasswordToken()
 	token.loginname = loginname
-- 
GitLab