Clear password reset tokens on password change

Conflicts from devel: History.md
2026-05-02 03:01:46 -04:00 · 2014-12-16 13:53:20 -08:00
parent 5924a6a140
commit 747dd88bbf
3 changed files with 29 additions and 1 deletions
--- a/History.md
+++ b/History.md
@@ -63,6 +63,8 @@

 * Make query parameter available to oauth1 services 6b8221d

+* Expire a user's password reset tokens when their password is changed.
+
 * Upgraded dependencies:
  - node: 0.10.33 (from 0.10.29)
  - source-map-support: 0.2.8 (from 0.2.5)
--- a/packages/accounts-password/password_server.js
+++ b/packages/accounts-password/password_server.js
@@ -307,7 +307,8 @@ Meteor.methods({changePassword: function (oldPassword, newPassword) {
      $set: { 'services.password.bcrypt': hashed },
      $pull: {
        'services.resume.loginTokens': { hashedToken: { $ne: currentToken } }
-      }
+      },
+      $unset: { 'services.password.reset': 1 }
    }
  );

--- a/packages/accounts-password/password_tests.js
+++ b/packages/accounts-password/password_tests.js
@@ -4,6 +4,10 @@ if (Meteor.isServer) {
  Meteor.methods({
    getUserId: function () {
      return this.userId;
+    },
+    getResetToken: function () {
+      var token = Meteor.users.findOne(this.userId).services.password.reset;
+      return token;
    }
  });
 }
@@ -167,6 +171,21 @@ if (Meteor.isClient) (function () {
        {username: this.username, email: this.email, password: this.password},
        loggedInAs(this.username, test, expect));
    },
+    // Send a password reset email so that we can test that password
+    // reset tokens get deleted on password change.
+    function (test, expect) {
+      Meteor.call("forgotPassword", { email: this.email }, expect(function (error) {
+        test.isFalse(error);
+      }));
+    },
+    function (test, expect) {
+      var self = this;
+      Meteor.call("getResetToken", expect(function (err, token) {
+        test.isFalse(err);
+        test.isTrue(token);
+        self.token = token;
+      }));
+    },
    // change password with bad old password. we stay logged in.
    function (test, expect) {
      var self = this;
@@ -180,6 +199,12 @@ if (Meteor.isClient) (function () {
      Accounts.changePassword(this.password, this.password2,
                              loggedInAs(this.username, test, expect));
    },
+    function (test, expect) {
+      Meteor.call("getResetToken", expect(function (err, token) {
+        test.isFalse(err);
+        test.isFalse(token);
+      }));
+    },
    logoutStep,
    // old password, failed login
    function (test, expect) {