Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Delete only password reset tokens upon success
In the default authentication system created by the `mix phx.gen.auth`, when a password has been successfully resetted it deletes all of the tokens regardless of their context, however, this is problematic in the following scenario: - A user has been registered, which creates a token with the `confirm` context and account confirmation instructions delivered via email. - The user does not click on the email message yet. - The user request password reset instructions and gets them via email. - The user successfully follows the password reset instructions. With the existing implementation, all of the user tokens get deleted, which means that the `confirm` token is gone as well, leaving an invalid email in the user's mailbox. By scoping the deletion to only `reset_password` tokens, the bug is gone and the `confirm` token will still be valid regardless of the process described above.
- Loading branch information