Add a password change notification email (#1221)

* Adds an email notification for password resets
2026-01-31 11:54:23 +01:00 · 2020-01-20 23:05:44 -05:00
parent 60c46af58a
commit a2551db690
2 changed files with 12 additions and 0 deletions
--- a/CTFd/auth.py
+++ b/CTFd/auth.py
@@ -135,6 +135,7 @@ def reset_password(data=None):
                name=user.name,
            )
            db.session.close()
+            email.password_change_alert(user.email)
            return redirect(url_for("auth.login"))

    if request.method == "POST":
--- a/CTFd/utils/email/init.py
+++ b/CTFd/utils/email/init.py
@@ -16,6 +16,17 @@ def sendmail(addr, text, subject="Message from {ctf_name}"):
    return False, "No mail settings configured"


+def password_change_alert(email):
+    ctf_name = get_config("ctf_name")
+    text = (
+        "Your password for {ctf_name} has been changed.\n\n"
+        "If you didn't request a password change you can reset your password here: {url}"
+    ).format(ctf_name=ctf_name, url=url_for("auth.reset_password", _external=True))
+
+    subject = "Password Change Confirmation for {ctf_name}".format(ctf_name=ctf_name)
+    return sendmail(addr=email, text=text, subject=subject)
+
+
 def forgot_password(email):
    token = serialize(email)
    text = """Did you initiate a password reset?  If you didn't initiate this request you can ignore this email.