refactor(identity): require ApplicationUrl for password reset emails (#5415)

tidusjar · web-flow · commit a1ee23cbd2ae · 2026-05-30T21:18:59.000+01:00
* refactor(identity): require ApplicationUrl for password reset emails

Simplify the reset-link construction in IdentityController by dropping
the implicit fallback to HttpContext.Request.Host. The link is now
sourced from the configured ApplicationUrl customization setting only;
if it isn't set, the endpoint logs and returns the existing generic
response without sending mail.

Collapses the URL construction to a single source of truth and keeps
the response shape identical across all branches.

* refactor(identity): scope ApplicationUrl guard to local-user reset branch

Move the missing-ApplicationUrl guard inside the local/Jellyfin/non-Connect
Emby branch where the reset link is actually built. Plex and Emby Connect
flows use hardcoded external URLs and don't depend on ApplicationUrl, so
they continue to send reset emails regardless of configuration.

Also drop the redundant `var url = appUrl` local and use `appUrl` directly.
diff --git a/src/Ombi/Controllers/V1/IdentityController.cs b/src/Ombi/Controllers/V1/IdentityController.cs
@@ -797,9 +797,6 @@ public async Task<OmbiIdentityResult> SubmitResetPassword([FromBody] SubmitPassw
             var emailSettings = await EmailSettings.GetSettingsAsync();
 
             var appUrl = customizationSettings.AddToUrl("/token?token=");
-            var url = (string.IsNullOrEmpty(appUrl)
-                ? $"{HttpContext.Request.Scheme}://{HttpContext.Request.Host}/token?token="
-                : appUrl);
 
             if (user.UserType == UserType.PlexUser)
             {
@@ -825,6 +822,12 @@ await EmailProvider.SendAdHoc(new NotificationMessage
             }
             else
             {
+                if (string.IsNullOrEmpty(appUrl))
+                {
+                    _log.LogWarning("Password reset requested but ApplicationUrl is not configured; cannot build reset link.");
+                    return defaultMessage;
+                }
+
                 // We have the user
                 var token = await UserManager.GeneratePasswordResetTokenAsync(user);
                 var encodedToken = WebUtility.UrlEncode(token);
@@ -835,7 +838,7 @@ await EmailProvider.SendAdHoc(new NotificationMessage
                     Subject = $"{appName} Password Reset",
                     Message =
                         $"You recently made a request to reset your {appName} account. Please click the link below to complete the process.<br/><br/>" +
-                        $"<a href=\"{url}{encodedToken}\"> Reset </a>"
+                        $"<a href=\"{appUrl}{encodedToken}\"> Reset </a>"
                 }, emailSettings);
             }
 
