From 747dd88bbf2cf7d44bb6fe5bcc63a65ba5ef390b Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Tue, 16 Dec 2014 13:53:20 -0800
Subject: [PATCH] Clear password reset tokens on password change

Conflicts from devel:
	History.md
---
 History.md                                    |  2 ++
 packages/accounts-password/password_server.js |  3 ++-
 packages/accounts-password/password_tests.js  | 25 +++++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/History.md b/History.md
index 2cacb2e9cb..601301e13e 100644
--- a/History.md
+++ b/History.md
@@ -63,6 +63,8 @@
 
 * Make query parameter available to oauth1 services 6b8221d
 
+* Expire a user's password reset tokens when their password is changed.
+
 * Upgraded dependencies:
   - node: 0.10.33 (from 0.10.29)
   - source-map-support: 0.2.8 (from 0.2.5)
diff --git a/packages/accounts-password/password_server.js b/packages/accounts-password/password_server.js
index 632a5bfce8..073520f86f 100644
--- a/packages/accounts-password/password_server.js
+++ b/packages/accounts-password/password_server.js
@@ -307,7 +307,8 @@ Meteor.methods({changePassword: function (oldPassword, newPassword) {
       $set: { 'services.password.bcrypt': hashed },
       $pull: {
         'services.resume.loginTokens': { hashedToken: { $ne: currentToken } }
-      }
+      },
+      $unset: { 'services.password.reset': 1 }
     }
   );
 
diff --git a/packages/accounts-password/password_tests.js b/packages/accounts-password/password_tests.js
index e485d301af..cda1c12a18 100644
--- a/packages/accounts-password/password_tests.js
+++ b/packages/accounts-password/password_tests.js
@@ -4,6 +4,10 @@ if (Meteor.isServer) {
   Meteor.methods({
     getUserId: function () {
       return this.userId;
+    },
+    getResetToken: function () {
+      var token = Meteor.users.findOne(this.userId).services.password.reset;
+      return token;
     }
   });
 }
@@ -167,6 +171,21 @@ if (Meteor.isClient) (function () {
         {username: this.username, email: this.email, password: this.password},
         loggedInAs(this.username, test, expect));
     },
+    // Send a password reset email so that we can test that password
+    // reset tokens get deleted on password change.
+    function (test, expect) {
+      Meteor.call("forgotPassword", { email: this.email }, expect(function (error) {
+        test.isFalse(error);
+      }));
+    },
+    function (test, expect) {
+      var self = this;
+      Meteor.call("getResetToken", expect(function (err, token) {
+        test.isFalse(err);
+        test.isTrue(token);
+        self.token = token;
+      }));
+    },
     // change password with bad old password. we stay logged in.
     function (test, expect) {
       var self = this;
@@ -180,6 +199,12 @@ if (Meteor.isClient) (function () {
       Accounts.changePassword(this.password, this.password2,
                               loggedInAs(this.username, test, expect));
     },
+    function (test, expect) {
+      Meteor.call("getResetToken", expect(function (err, token) {
+        test.isFalse(err);
+        test.isFalse(token);
+      }));
+    },
     logoutStep,
     // old password, failed login
     function (test, expect) {