Login and Registration: Flush `user_activation_key` after successfully login.

This changeset ensures the `user_activation_key` is flushed after successful login, so reset password links can not be used anymore after the user successfully log into their dashboard.

Props nsinelnikov, rajinsharwar, Rahmohn, oglekler, hellofromTonya.
Fixes #58901.
See #32429



Built from https://develop.svn.wordpress.org/trunk@58333


git-svn-id: http://core.svn.wordpress.org/trunk@57789 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/user.php

@@ -110,6 +110,28 @@ function wp_signon( $credentials = array(), $secure_cookie = '' ) {
 	}
 
 	wp_set_auth_cookie( $user->ID, $credentials['remember'], $secure_cookie );
+
+	/**
+	 * @global wpdb $wpdb WordPress database abstraction object.
+	 */
+	global $wpdb;
+
+	// Flush `user_activation_key` if exists after successful login.
+	if ( ! empty( $user->user_activation_key ) ) {
+		$wpdb->update(
+			$wpdb->users,
+			array(
+				'user_activation_key' => '',
+			),
+			array( 'ID' => $user->ID ),
+			array( '%s' ),
+			array( '%d' )
+		);
+
+		// Empty user_activation_key object.
+		$user->user_activation_key = '';
+	}
+
 	/**
 	 * Fires after the user has successfully logged in.
 	 *

wp-includes/version.php

@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.6-alpha-58332';
+$wp_version = '6.6-alpha-58333';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.