From 92d9a2a0d5c1d4bfbf70e3386e0a91465f7b5038 Mon Sep 17 00:00:00 2001
From: patrick-motsch <p.motsch@valueon.ch>
Date: Tue, 3 Mar 2026 23:07:41 +0100
Subject: [PATCH] 2 critical fixes: pwd reset and invitation caching ui

---
 modules/interfaces/interfaceDbApp.py | 4 ----
 modules/routes/routeSecurityLocal.py | 4 ++--
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/modules/interfaces/interfaceDbApp.py b/modules/interfaces/interfaceDbApp.py
index 4de62bd0..c7e4f8bf 100644
--- a/modules/interfaces/interfaceDbApp.py
+++ b/modules/interfaces/interfaceDbApp.py
@@ -662,10 +662,6 @@ class AppObjects:
         if authAuthority != AuthAuthority.LOCAL and authAuthority != AuthAuthority.LOCAL.value:
             raise ValueError("User does not have local authentication enabled")
         
-        # Check if user has a reset token set (password reset required)
-        if userRecord.get("resetToken"):
-            raise ValueError("Passwort-Zurücksetzung erforderlich. Bitte prüfen Sie Ihre E-Mail.")
-        
         if not userRecord.get("hashedPassword"):
             raise ValueError("User has no password set")
 
diff --git a/modules/routes/routeSecurityLocal.py b/modules/routes/routeSecurityLocal.py
index b846af63..c83d0d3f 100644
--- a/modules/routes/routeSecurityLocal.py
+++ b/modules/routes/routeSecurityLocal.py
@@ -602,8 +602,8 @@ def password_reset_request(
                 # Generate reset token
                 token, expires = rootInterface.generateResetTokenAndExpiry()
                 
-                # Set reset token (clears password)
-                rootInterface.setResetToken(user.id, token, expires)
+                # Set reset token but keep existing password valid until new one is set
+                rootInterface.setResetToken(user.id, token, expires, clearPassword=False)
                 
                 # Generate magic link using provided frontend URL
                 magicLink = f"{baseUrl}/reset?token={token}"