Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Delete only password reset tokens upon success
In the default authentication system created by the `mix phx.gen.auth`, when a password has been successfully reset, it deletes all of the tokens regardless of their context, however, this is problematic in the following scenario: - A user has been registered, which creates a token with the `confirm` context and account confirmation instructions delivered via email. - The user has not clicked on the confirmation email message yet. - The user requests password reset instructions and gets them via email. - The user successfully follows the password reset instructions. - The user tries to click on the confirmation email, but it is no longer valid. By scoping the deletion to only `reset_password` tokens, the bug is gone and the confirm token will still be valid regardless of the abovementioned process.
- Loading branch information