From d8b5d40668c6fac1aa7de64ba379bf0cf0ee8f76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Thu, 18 Jan 2018 13:33:06 -0500
Subject: [PATCH] closes #6242

---
 src/user/reset.js |  7 +++++--
 test/user.js      | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/src/user/reset.js b/src/user/reset.js
index fd0b5daa53..5b6e183b27 100644
--- a/src/user/reset.js
+++ b/src/user/reset.js
@@ -119,7 +119,7 @@ UserReset.commit = function (code, password, callback) {
 			user.hashPassword(password, next);
 		},
 		function (hash, next) {
-			async.parallel([
+			async.series([
 				async.apply(user.setUserFields, uid, { password: hash, 'email:confirmed': 1 }),
 				async.apply(db.deleteObjectField, 'reset:uid', code),
 				async.apply(db.sortedSetRemove, 'reset:issueDate', code),
@@ -128,7 +128,10 @@ UserReset.commit = function (code, password, callback) {
 				async.apply(user.auth.resetLockout, uid),
 				async.apply(db.delete, 'uid:' + uid + ':confirm:email:sent'),
 				async.apply(db.sortedSetRemove, 'users:notvalidated', uid),
-			], next);
+				async.apply(UserReset.cleanByUid, uid),
+			], function (err) {
+				next(err);
+			});
 		},
 	], callback);
 };
diff --git a/test/user.js b/test/user.js
index 9a098f4708..8de7491761 100644
--- a/test/user.js
+++ b/test/user.js
@@ -471,6 +471,40 @@ describe('User', function () {
 				});
 			});
 		});
+
+		it('.commit() should invalidate old codes', function (done) {
+			var code1;
+			var code2;
+			var uid;
+			async.waterfall([
+				function (next) {
+					User.create({ username: 'doublereseter', email: 'sorry@forgot.com', password: '123456' }, next);
+				},
+				function (_uid, next) {
+					uid = _uid;
+					User.reset.generate(uid, next);
+				},
+				function (code, next) {
+					code1 = code;
+					User.reset.generate(uid, next);
+				},
+				function (code, next) {
+					code2 = code;
+					User.reset.validate(code1, next);
+				},
+				function (isValid, next) {
+					assert(isValid);
+					User.reset.commit(code2, 'newPwd123', next);
+				},
+				function (next) {
+					User.reset.validate(code1, next);
+				},
+				function (isValid, next) {
+					assert(!isValid);
+					next();
+				},
+			], done);
+		});
 	});
 
 	describe('hash methods', function () {