Prevent password reset spam (#973)

* Remove password reset tokens after 1 day and only allow 1 at a time

* Update expiration hint in email to reflect actual time

Author: Slendy

ProjectLighthouse/Database/DatabaseContext.WebTokens.cs

@@ -104,6 +104,7 @@ public async Task RemoveExpiredTokens()
         await this.WebTokens.RemoveWhere(t => DateTime.UtcNow > t.ExpiresAt);
         await this.EmailVerificationTokens.RemoveWhere(t => DateTime.UtcNow > t.ExpiresAt);
         await this.EmailSetTokens.RemoveWhere(t => DateTime.UtcNow > t.ExpiresAt);
+        await this.PasswordResetTokens.RemoveWhere(t => DateTime.UtcNow > t.Created.AddDays(1));
     }
 
     public async Task RemoveRegistrationToken(string? tokenString)

ProjectLighthouse/Helpers/EmailHelper.cs

@@ -46,6 +46,8 @@ public static async Task SendPasswordResetEmail(DatabaseContext database, IMailS
     {
         if (!CanSendMail(user)) return;
 
+        if (await database.PasswordResetTokens.CountAsync(t => t.UserId == user.UserId) > 0) return;
+
         PasswordResetTokenEntity token = new()
         {
             Created = DateTime.UtcNow,
@@ -59,7 +61,8 @@ public static async Task SendPasswordResetEmail(DatabaseContext database, IMailS
         string messageBody = $"Hello, {user.Username}.\n\n" +
                              "A request to reset your account's password was issued. If this wasn't you, this can probably be ignored.\n\n" +
                              $"If this was you, your {ServerConfiguration.Instance.Customization.ServerName} password can be reset at the following link:\n" +
-                             $"{ServerConfiguration.Instance.ExternalUrl}/passwordReset?token={token.ResetToken}";
+                             $"{ServerConfiguration.Instance.ExternalUrl}/passwordReset?token={token.ResetToken}\n\n" + 
+                             "This link will expire in 24 hours";
 
         await mail.SendEmailAsync(user.EmailAddress, $"Project Lighthouse Password Reset Request for {user.Username}", messageBody);