diff --git a/app/models/user.rb b/app/models/user.rb index 0b528cbefeb..a55a3e754c1 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -320,7 +320,10 @@ class User < ActiveRecord::Base def password=(password) # special case for passwordless accounts - @raw_password = password unless password.blank? + unless password.blank? + @raw_password = password + self.auth_token = nil + end end def password diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 9e676b14945..a204083e085 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -509,18 +509,24 @@ describe User do end describe 'passwords' do - before do + + it "should not have an active account with a good password" do @user = Fabricate.build(:user, active: false) @user.password = "ilovepasta" @user.save! - end - it "should have a valid password after the initial save" do - expect(@user.confirm_password?("ilovepasta")).to eq(true) - end + @user.auth_token = SecureRandom.hex(16) + @user.save! - it "should not have an active account after initial save" do expect(@user.active).to eq(false) + expect(@user.confirm_password?("ilovepasta")).to eq(true) + + old_token = @user.auth_token + @user.password = "passwordT" + @user.save! + + # must expire old token on password change + expect(@user.auth_token).to_not eq(old_token) end end