lynndylanhurley · KwanjiChoi · Feb 1, 2024
diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb
@@ -73,7 +73,7 @@ def update
       # make sure user is authorized
       if require_client_password_reset_token? && resource_params[:reset_password_token]
         @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
-        return render_update_error_unauthorized unless @resource
+        return render_update_error_unauthorized unless @resource && @resource.reset_password_period_valid?
 
         @token = @resource.create_token
       else