UX: Use regular reset-password flow for expired passwords (#27316)

This makes it more obvious what's happening, and makes it much less likely that users will send repeated reset emails (and thereby hit the rate limit) Followup to e97ef7e9af60788f5761f6989ea2b70edaa3b79d
2025-05-30 15:28:37 +08:00 · 2024-06-04 12:47:33 +01:00
parent f0539afb02
commit aa37be3323
7 changed files with 47 additions and 53 deletions
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@ -353,13 +353,7 @@ class SessionController < ApplicationController

      # User's password has expired so they need to reset it
      if user.password_expired?(password)
-        begin
-          enqueue_password_reset_for_user(user)
-        rescue RateLimiter::LimitExceeded
-          # Just noop here as user would have already been sent the forgot password email more than once
-        end
-
-        render json: { error: I18n.t("login.password_expired") }
+        render json: { error: "expired", reason: "expired" }
        return
      end
    else