get a email as well as token from req.query

src/server/middlewares/password-reset.js

@@ -2,9 +2,9 @@ module.exports = (crowi, app) => {
   const PasswordResetOrder = crowi.model('PasswordResetOrder');
 
   return async(req, res, next) => {
-    const { token } = req.params;
+    const { token, email } = req.query;
 
-    const passwordResetOrder = await PasswordResetOrder.findOne({ token });
+    const passwordResetOrder = await PasswordResetOrder.findOne({ token, email });
     // check the oneTimeToken is valid
     if (passwordResetOrder == null || passwordResetOrder.isExpired()) {
       return res.redirect('/login');

src/server/routes/forgot-password.js

@@ -38,7 +38,7 @@ module.exports = function(crowi, app) {
 
     try {
       const passwordResetOrderData = await PasswordResetOrder.createPasswordResetOrder(email);
-      const url = new URL(`/forgot-password/${passwordResetOrderData.token}`, appUrl);
+      const url = new URL(`/forgot-password/reset-password?email=${email}&token=${passwordResetOrderData.token}`, appUrl);
       const oneTimeUrl = url.href;
       await sendPasswordResetEmail(email, oneTimeUrl, i18n);
       return res.json(ApiResponse.success());