From 30b3fedca4307452bc97e0817fa578ac1c5f71ed Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Tue, 13 Oct 2020 11:48:32 -0400
Subject: [PATCH] fix: password reset to invalidate all existing reset tokens
 for that uid

---
 src/user/profile.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/user/profile.js b/src/user/profile.js
index 229c5243bd..00e8970c35 100644
--- a/src/user/profile.js
+++ b/src/user/profile.js
@@ -325,6 +325,7 @@ module.exports = function (User) {
 				password: hashedPassword,
 				rss_token: utils.generateUUID(),
 			}),
+			User.reset.cleanByUid(data.uid),
 			User.reset.updateExpiry(data.uid),
 			User.auth.revokeAllSessions(data.uid),
 		]);