@Override
public boolean resetPassword(String signedToken, String newPassword) {
// TODO: use KmsDao
String email = SignedToken.validate(signedToken, "hello");
if (email != null) {
// Invalid or expired token
return false;
}
AppUser user = db.load(AppUser.class, email);
if (ObjectUtils.notEqual(signedToken, user.getPasswordResetToken())) {
// Token is used more than once
return false;
}
user.setPasswordHash(PasswordUtil.hash(newPassword, email));
user.setPasswordResetToken(null);
db.save(user);
return true;
}
