diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 23dfb48705e..137cf9d6bda 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -321,6 +321,7 @@ class UsersController < ApplicationController else @user.password = params[:password] @user.password_required! + @user.auth_token = nil if @user.save Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore logon_after_password_reset diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb index 159e007c712..39e4aae8e1c 100644 --- a/spec/controllers/users_controller_spec.rb +++ b/spec/controllers/users_controller_spec.rb @@ -266,13 +266,19 @@ describe UsersController do context 'valid token' do it 'returns success' do - user = Fabricate(:user) + user = Fabricate(:user, auth_token: SecureRandom.hex(16)) token = user.email_tokens.create(email: user.email).token + old_token = user.auth_token + get :password_reset, token: token put :password_reset, token: token, password: 'newpassword' expect(response).to be_success expect(assigns[:error]).to be_blank + + user.reload + expect(user.auth_token).to_not eq old_token + expect(user.auth_token.length).to eq 32 end end