From cb89e4435c41baa5a50ab389efb0be0f1f8db1d6 Mon Sep 17 00:00:00 2001 From: Brent Wheeldon Date: Mon, 17 Nov 2014 14:44:15 -0500 Subject: [PATCH] Only set token back if password reset fails. This prevents the digested version of the token being saved when a reset is successful. --- lib/devise/models/recoverable.rb | 2 +- test/models/recoverable_test.rb | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/devise/models/recoverable.rb b/lib/devise/models/recoverable.rb index fa74f25d..f5acfce2 100644 --- a/lib/devise/models/recoverable.rb +++ b/lib/devise/models/recoverable.rb @@ -146,7 +146,7 @@ module Devise end end - recoverable.reset_password_token = original_token + recoverable.reset_password_token = original_token if recoverable.reset_password_token.present? recoverable end diff --git a/test/models/recoverable_test.rb b/test/models/recoverable_test.rb index ab08de3d..95534d82 100644 --- a/test/models/recoverable_test.rb +++ b/test/models/recoverable_test.rb @@ -135,6 +135,7 @@ class RecoverableTest < ActiveSupport::TestCase reset_password_user = User.reset_password_by_token(reset_password_token: raw, password: '') assert_not reset_password_user.errors.empty? assert_match "can't be blank", reset_password_user.errors[:password].join + assert_equal raw, reset_password_user.reset_password_token end test 'should reset successfully user password given the new password and confirmation' do @@ -142,15 +143,17 @@ class RecoverableTest < ActiveSupport::TestCase old_password = user.password raw = user.send_reset_password_instructions - User.reset_password_by_token( + reset_password_user = User.reset_password_by_token( reset_password_token: raw, password: 'new_password', password_confirmation: 'new_password' ) - user.reload + assert_nil reset_password_user.reset_password_token + user.reload assert_not user.valid_password?(old_password) assert user.valid_password?('new_password') + assert_nil user.reset_password_token end test 'should not reset password after reset_password_within time' do