1
0
Fork 0
mirror of https://github.com/heartcombo/devise.git synced 2022-11-09 12:18:31 -05:00

Only set token back if password reset fails.

This prevents the digested version of the token being saved when a reset
is successful.
This commit is contained in:
Brent Wheeldon 2014-11-17 14:44:15 -05:00
parent 6fb466eb1e
commit cb89e4435c
2 changed files with 6 additions and 3 deletions
lib/devise/models
test/models

View file

@ -146,7 +146,7 @@ module Devise
end
end
recoverable.reset_password_token = original_token
recoverable.reset_password_token = original_token if recoverable.reset_password_token.present?
recoverable
end

View file

@ -135,6 +135,7 @@ class RecoverableTest < ActiveSupport::TestCase
reset_password_user = User.reset_password_by_token(reset_password_token: raw, password: '')
assert_not reset_password_user.errors.empty?
assert_match "can't be blank", reset_password_user.errors[:password].join
assert_equal raw, reset_password_user.reset_password_token
end
test 'should reset successfully user password given the new password and confirmation' do
@ -142,15 +143,17 @@ class RecoverableTest < ActiveSupport::TestCase
old_password = user.password
raw = user.send_reset_password_instructions
User.reset_password_by_token(
reset_password_user = User.reset_password_by_token(
reset_password_token: raw,
password: 'new_password',
password_confirmation: 'new_password'
)
user.reload
assert_nil reset_password_user.reset_password_token
user.reload
assert_not user.valid_password?(old_password)
assert user.valid_password?('new_password')
assert_nil user.reset_password_token
end
test 'should not reset password after reset_password_within time' do