@Override public boolean resetPassword(String signedToken, String newPassword) { // TODO: use KmsDao String email = SignedToken.validate(signedToken, "hello"); if (email != null) { // Invalid or expired token return false; } AppUser user = db.load(AppUser.class, email); if (ObjectUtils.notEqual(signedToken, user.getPasswordResetToken())) { // Token is used more than once return false; } user.setPasswordHash(PasswordUtil.hash(newPassword, email)); user.setPasswordResetToken(null); db.save(user); return true; }