SECURITY: expire all existing email tokens on password reset

2025-05-21 18:12:32 +08:00 · 2015-06-06 03:50:06 +10:00
parent 4171eb758c
commit feeb509a97
2 changed files with 13 additions and 0 deletions
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@ -521,12 +521,18 @@ describe User do
      expect(@user.active).to eq(false)
      expect(@user.confirm_password?("ilovepasta")).to eq(true)

+
+      email_token = @user.email_tokens.create(email: 'pasta@delicious.com')
+
      old_token = @user.auth_token
      @user.password = "passwordT"
      @user.save!

      # must expire old token on password change
      expect(@user.auth_token).to_not eq(old_token)
+
+      email_token.reload
+      expect(email_token.expired).to eq(true)
    end
  end