js · nocodbHeads-up
NocoDB: Forgot-password flow fails to revoke refresh tokens
The password-forgot flow did not delete the user's refresh tokens, allowing a stolen refresh token to remain valid after password reset.
What changed
The password-forgot flow did not delete the user's refresh tokens, allowing a stolen refresh token to remain valid after password reset.
Who it affects
Users of NocoDB who have used the forgot-password recovery flow and may have had a refresh token compromised.
What to do today
Apply the fix that adds UserRefreshToken.deleteAllUserToken(user.id) to the passwordForgot flow.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · nocodb