From 163581cbcdbbc8bc87fb316560098378923805f8 Mon Sep 17 00:00:00 2001
From: wrongecho <marcus@itflow.org>
Date: Mon, 27 Apr 2026 13:36:39 +0100
Subject: [PATCH] Expire all PW reset tokens nightly with cron

---
 cron/cron.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cron/cron.php b/cron/cron.php
index 5bd85338..c7f5dad1 100644
--- a/cron/cron.php
+++ b/cron/cron.php
@@ -112,6 +112,7 @@ mysqli_query($mysqli, "DELETE FROM shared_items WHERE item_expire_at < NOW()");
 
 // Invalidate any password reset links
 mysqli_query($mysqli, "UPDATE users SET user_password_reset_token = NULL WHERE user_archived_at IS NULL");
+mysqli_query($mysqli, "UPDATE users SET user_password_reset_token = NULL"); // TODO: Make this 'expired' tokens only when we actually use expiry
 
 // Clean-up old dismissed notifications
 mysqli_query($mysqli, "DELETE FROM notifications WHERE notification_dismissed_at < CURDATE() - INTERVAL 90 DAY");