Clearing perishable token when confirming or reseting password.

lib/devise/models/confirmable.rb

@@ -35,6 +35,7 @@ module Devise
       #
       def confirm!
         unless_confirmed do
+          clear_perishable_token
           update_attribute(:confirmed_at, Time.now)
         end
       end

lib/devise/models/perishable.rb

@@ -36,6 +36,10 @@ module Devise
         reset_perishable_token && save(false)
       end
 
+      def clear_perishable_token
+        self.perishable_token = nil
+      end
+
       module ClassMethods
 
         # Attempt to find a user by and incoming perishable_token. If no user is

lib/devise/models/recoverable.rb

@@ -26,11 +26,13 @@ module Devise
         self.password_confirmation = new_password_confirmation
       end
 
-      # Update password saving the record. Returns true if the passwords are
-      # valid, otherwise false.
+      # Update password saving the record and clearing token. Returns true if
+      # the passwords are valid and the record was saved, false otherwise.
       #
       def reset_password!(new_password, new_password_confirmation)
-        reset_password(new_password, new_password_confirmation) and save
+        reset_password(new_password, new_password_confirmation)
+        clear_perishable_token
+        save
       end
 
       # Resets perishable token and send reset password instructions by email

test/integration/recoverable_test.rb

@@ -82,7 +82,8 @@ class UsersPasswordRecoveryTest < ActionController::IntegrationTest
 
   test 'not authenticated user with valid perisable token but invalid password should not be able to change his password' do
     user = create_user
-    reset_password :perishable_token => user.perishable_token do
+    request_forgot_password
+    reset_password :perishable_token => user.reload.perishable_token do
       fill_in 'Password confirmation', :with => 'other_password'
     end
 
@@ -95,7 +96,8 @@ class UsersPasswordRecoveryTest < ActionController::IntegrationTest
 
   test 'not authenticated user with valid data should be able to change his password' do
     user = create_user
-    reset_password :perishable_token => user.perishable_token
+    request_forgot_password
+    reset_password :perishable_token => user.reload.perishable_token
 
     assert_template 'sessions/new'
     assert_contain 'Your password was changed successfully.'

test/models/confirmable_test.rb

@@ -17,6 +17,13 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_not_nil user.confirmed_at
   end
 
+  test 'should clear perishable token while confirming a user' do
+    user = create_user
+    assert_present user.perishable_token
+    user.confirm!
+    assert_nil user.perishable_token
+  end
+
   test 'should verify whether a user is confirmed or not' do
     assert_not new_user.confirmed?
     user = create_user

test/models/recoverable_test.rb

@@ -17,6 +17,13 @@ class RecoverableTest < ActiveSupport::TestCase
     assert create_user.reset_password!('123456789', '123456789')
   end
 
+  test 'should clear perishable token while reseting the password' do
+    user = create_user
+    assert_present user.perishable_token
+    user.reset_password!('123456789', '123456789')
+    assert_nil user.perishable_token
+  end
+
   test 'should not reset password with invalid data' do
     user = create_user
     user.stubs(:valid?).returns(false)