Completes a password reset: writes the hash, claims the token, invalidates siblings.
Delegates to completePasswordResetWithPasswordHash, which avoids MongoDB multi-document
transactions (unsupported on the default standalone Compose MongoDB). See
docs/password-recovery.md — do not reintroduce withTransaction without a replica set.
Call only after password validation and account eligibility checks succeed.
Parameters
token: string
URL-safe reset token from the client.
passwordHash: string
Bcrypt hash to persist for the account.
Returns Promise<boolean>
True when the password was updated and the token claimed; false when
the token was already used, expired, or could not be claimed after the password update.
Throws
Propagates errors from the password update; the reset link stays valid because
the token is only claimed after the hash is written successfully.
Completes a password reset: writes the hash, claims the token, invalidates siblings.
Delegates to
completePasswordResetWithPasswordHash, which avoids MongoDB multi-document transactions (unsupported on the default standalone Compose MongoDB). Seedocs/password-recovery.md— do not reintroducewithTransactionwithout a replica set.Call only after password validation and account eligibility checks succeed.