SECURITY: expire all existing email tokens on password reset

app/models/user.rb

@@ -92,6 +92,7 @@ class User < ActiveRecord::Base
   after_save :clear_global_notice_if_needed
   after_save :refresh_avatar
   after_save :badge_grant
+  after_save :expire_old_email_tokens
 
   before_destroy do
     # These tables don't have primary keys, so destroying them with activerecord is tricky:
@@ -786,6 +787,12 @@ class User < ActiveRecord::Base
     BadgeGranter.queue_badge_grant(Badge::Trigger::UserChange, user: self)
   end
 
+  def expire_old_email_tokens
+    if password_hash_changed? && !id_changed?
+      email_tokens.where('not expired').update_all(expired: true)
+    end
+  end
+
   def update_tracked_topics
     return unless auto_track_topics_after_msecs_changed?
     TrackedTopicsUpdater.new(id, auto_track_topics_after_msecs).call

spec/models/user_spec.rb

@@ -521,12 +521,18 @@ describe User do
       expect(@user.active).to eq(false)
       expect(@user.confirm_password?("ilovepasta")).to eq(true)
 
+
+      email_token = @user.email_tokens.create(email: 'pasta@delicious.com')
+
       old_token = @user.auth_token
       @user.password = "passwordT"
       @user.save!
 
       # must expire old token on password change
       expect(@user.auth_token).to_not eq(old_token)
+
+      email_token.reload
+      expect(email_token.expired).to eq(true)
     end
   end