Clear up reset password token whenever encrypted password changes

2026-04-28 03:00:29 -04:00 · 2015-05-26 15:00:12 +02:00
parent b14995167b
commit 31901bc862
2 changed files with 18 additions and 15 deletions
--- a/lib/devise/models/recoverable.rb
+++ b/lib/devise/models/recoverable.rb
@@ -30,14 +30,18 @@ module Devise
        [:reset_password_sent_at, :reset_password_token]
      end

+      included do
+        before_update :clear_reset_password_token, if: :encrypted_password_changed?
+      end
+
      # Update password saving the record and clearing token. Returns true if
      # the passwords are valid and the record was saved, false otherwise.
      def reset_password(new_password, new_password_confirmation)
        self.password = new_password
        self.password_confirmation = new_password_confirmation

-        if valid?
-          clear_reset_password_token
+        if respond_to?(:after_password_reset) && valid?
+          ActiveSupport::Deprecation.warn "after_password_reset is deprecated"
          after_password_reset
        end

@@ -90,19 +94,6 @@ module Devise
          self.reset_password_sent_at = nil
        end

-        # A callback initiated after password is successfully reset. This can
-        # be used to insert your own logic that is only run after the user
-        # successfully resets their password.
-        #
-        # Example:
-        #
-        #   def after_password_reset
-        #     self.update_attribute(:invite_code, nil)
-        #   end
-        #
-        def after_password_reset
-        end
-
        def set_reset_password_token
          raw, enc = Devise.token_generator.generate(self.class, :reset_password_token)

--- a/test/models/recoverable_test.rb
+++ b/test/models/recoverable_test.rb
@@ -42,6 +42,18 @@ class RecoverableTest < ActiveSupport::TestCase
    assert_nil user.reset_password_token
  end

+  test 'should clear reset password token if changing password' do
+    user = create_user
+    assert_nil user.reset_password_token
+
+    user.send_reset_password_instructions
+    assert_present user.reset_password_token
+    user.password = "123456678"
+    user.password_confirmation = "123456678"
+    user.save!
+    assert_nil user.reset_password_token
+  end
+
  test 'should not clear reset password token if record is invalid' do
    user = create_user
    user.send_reset_password_instructions