[5.x] When a user changes their password, delete any password reset t…

…okens (#10694)
statamic · Sep 3, 2024 · 121c5e2 · 121c5e2
1 parent 6a1ba7b
commit 121c5e2
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 2 deletions.
diff --git a/src/Http/Controllers/CP/Users/PasswordController.php b/src/Http/Controllers/CP/Users/PasswordController.php
@@ -4,6 +4,7 @@
 
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Password as PasswordFacade;
 use Illuminate\Validation\Rules\Password;
 use Statamic\Events\UserPasswordChanged;
 use Statamic\Exceptions\NotFoundHttpException;
@@ -36,6 +37,8 @@ public function update(Request $request, $user)
             Auth::login($user);
         }
 
+        PasswordFacade::deleteToken($user);
+
         UserPasswordChanged::dispatch($user);
 
         return response('', 204);

diff --git a/src/Http/Controllers/User/PasswordController.php b/src/Http/Controllers/User/PasswordController.php
@@ -2,6 +2,7 @@
 
 namespace Statamic\Http\Controllers\User;
 
+use Illuminate\Support\Facades\Password;
 use Statamic\Facades\User;
 use Statamic\Http\Requests\UserPasswordRequest;
 
@@ -11,9 +12,9 @@ public function __invoke(UserPasswordRequest $request)
     {
         $user = User::current();
 
-        $user->password($request->password);
+        $user->password($request->password)->save();
 
-        $user->save();
+        Password::deleteToken($user);
 
         return $this->successfulResponse();
     }

diff --git a/tests/Tags/User/PasswordFormTest.php b/tests/Tags/User/PasswordFormTest.php
@@ -2,6 +2,7 @@
 
 namespace Tests\Tags\User;
 
+use Illuminate\Support\Facades\Password;
 use PHPUnit\Framework\Attributes\Test;
 use Statamic\Facades\Parse;
 use Statamic\Facades\User;
@@ -312,4 +313,25 @@ public function it_handles_precognitive_requests()
 
         $response->assertStatus(422);
     }
+
+    #[Test]
+    public function it_will_delete_any_password_reset_tokens_when_updating_password()
+    {
+        $user = tap(User::make()->email('[email protected]')->password('mypassword'))->save();
+
+        $token = Password::createToken($user);
+
+        $this->assertTrue(Password::tokenExists($user, $token));
+
+        $this
+            ->actingAs($user)
+            ->post('/!/auth/password', [
+                'current_password' => 'mypassword',
+                'password' => 'newpassword',
+                'password_confirmation' => 'newpassword',
+            ])
+            ->assertSessionHasNoErrors();
+
+        $this->assertFalse(Password::tokenExists($user, $token));
+    }
 }