From f9728aff2ce55fe1c8dfa8f6d7b9cd4d26dcc8e6 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Mon, 14 Jun 2021 11:50:32 -0400
Subject: [PATCH] feat: clear reset tokens on successful login

---
 src/controllers/authentication.js | 1 +
 test/authentication.js            | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/src/controllers/authentication.js b/src/controllers/authentication.js
index aabbcea44e..09fb7d7e78 100644
--- a/src/controllers/authentication.js
+++ b/src/controllers/authentication.js
@@ -360,6 +360,7 @@ authenticationController.onSuccessfulLogin = async function (req, uid) {
 		await meta.blacklist.test(req.ip);
 		await user.logIP(uid, req.ip);
 		await user.bans.unbanIfExpired([uid]);
+		await user.reset.cleanByUid(uid);
 
 		req.session.meta = {};
 
diff --git a/test/authentication.js b/test/authentication.js
index 1769fd5712..ce92392d9d 100644
--- a/test/authentication.js
+++ b/test/authentication.js
@@ -556,4 +556,11 @@ describe('authentication', () => {
 			},
 		], done);
 	});
+
+	it('should clear all reset tokens upon successful login', async () => {
+		const code = await user.reset.generate(regularUid);
+		await loginUserPromisified('regular', 'regularpwd');
+		const valid = await user.reset.validate(code);
+		assert.strictEqual(valid, false);
+	});
 });