From e641b4b7b97159054b7d92fb14df557ac18ae6f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Valim?= <jose.valim@plataformatec.com.br>
Date: Tue, 26 May 2015 15:09:07 +0200
Subject: [PATCH] Also reset password token on email change

---
 lib/devise/models/recoverable.rb |  6 +++++-
 test/models/recoverable_test.rb  | 11 +++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/lib/devise/models/recoverable.rb b/lib/devise/models/recoverable.rb
index dd4d66a0..f90279c3 100644
--- a/lib/devise/models/recoverable.rb
+++ b/lib/devise/models/recoverable.rb
@@ -31,7 +31,11 @@ module Devise
       end
 
       included do
-        before_update :clear_reset_password_token, if: :encrypted_password_changed?
+        before_save do
+          if email_changed? || encrypted_password_changed?
+            clear_reset_password_token
+          end
+        end
       end
 
       # Update password saving the record and clearing token. Returns true if
diff --git a/test/models/recoverable_test.rb b/test/models/recoverable_test.rb
index ca03a503..8198698b 100644
--- a/test/models/recoverable_test.rb
+++ b/test/models/recoverable_test.rb
@@ -54,6 +54,17 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_nil user.reset_password_token
   end
 
+  test 'should clear reset password token if changing email' do
+    user = create_user
+    assert_nil user.reset_password_token
+
+    user.send_reset_password_instructions
+    assert_present user.reset_password_token
+    user.email = "another@example.com"
+    user.save!
+    assert_nil user.reset_password_token
+  end
+
   test 'should not clear reset password token if record is invalid' do
     user = create_user
     user.send_reset_password_instructions