From d0a475c04fd9ead5301ed7de9cc65776f58a4c87 Mon Sep 17 00:00:00 2001
From: Jinzhu <wosmvp@gmail.com>
Date: Wed, 11 Oct 2017 15:00:53 +0800
Subject: [PATCH] Don't store reset password's token in URL path

---
 providers/password/password.go       | 4 ++--
 providers/password/reset_password.go | 5 ++++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/providers/password/password.go b/providers/password/password.go
index eea4033..d47b3d9 100644
--- a/providers/password/password.go
+++ b/providers/password/password.go
@@ -179,9 +179,9 @@ func (provider Provider) ServeHTTP(context *auth.Context) {
 			}
 		case "edit":
 			// render edit password page
-			if len(paths) == 3 {
+			if token := context.Request.URL.Query().Get("token"); token != "" {
 				context.Auth.Config.Render.Funcs(template.FuncMap{
-					"reset_password_token": func() string { return paths[2] },
+					"reset_password_token": func() string { return token },
 				}).Execute("auth/password/edit", context, context.Request, context.Writer)
 				return
 			}
diff --git a/providers/password/reset_password.go b/providers/password/reset_password.go
index dd0e823..e1262ad 100644
--- a/providers/password/reset_password.go
+++ b/providers/password/reset_password.go
@@ -47,7 +47,10 @@ var DefaultResetPasswordMailer = func(email string, context *auth.Context, claim
 			},
 			"reset_password_url": func() string {
 				resetPasswordURL := utils.GetAbsURL(context.Request)
-				resetPasswordURL.Path = path.Join(context.Auth.AuthURL("password/edit"), context.SessionStorer.SignedToken(claims))
+				resetPasswordURL.Path = path.Join(context.Auth.AuthURL("password/edit"))
+				qry := resetPasswordURL.Query()
+				qry.Set("token", context.SessionStorer.SignedToken(claims))
+				resetPasswordURL.RawQuery = qry.Encode()
 				return resetPasswordURL.String()
 			},
 		}),