Add reset_url allow list for password reset request

api/src/controllers/auth.ts

@@ -166,11 +166,13 @@ router.post(
 
 		try {
 			await service.requestPasswordReset(req.body.email, req.body.reset_url || null);
-		} catch {
-			// We don't want to give away what email addresses exist, so we'll always return a 200
-			// from this endpoint
-		} finally {
 			return next();
+		} catch (err) {
+			if (err instanceof InvalidPayloadException) {
+				throw err;
+			} else {
+				return next();
+			}
 		}
 	}),
 	respond

api/src/services/users.ts

@@ -123,6 +123,12 @@ export class UsersService extends ItemsService {
 		const payload = { email, scope: 'password-reset' };
 		const token = jwt.sign(payload, env.SECRET as string, { expiresIn: '1d' });
 
+		const urlWhitelist = toArray(env.PASSWORD_RESET_URL_ALLOW_LIST);
+
+		if (url && urlWhitelist.includes(url) === false) {
+			throw new InvalidPayloadException(`Url "${url}" can't be used to reset passwords.`);
+		}
+
 		const acceptURL = url ? `${url}?token=${token}` : `${env.PUBLIC_URL}/admin/reset-password?token=${token}`;
 
 		await sendPasswordResetMail(email, acceptURL);