Fix bug regarding token deletions upon successful password resets #5724
Commits on Feb 14, 2024
-
Delete only password reset tokens upon success
In the default authentication system created by the `mix phx.gen.auth`, when a password has been successfully reset, it deletes all of the tokens regardless of their context, however, this is problematic in the following scenario: - A user has been registered, which creates a token with the `confirm` context and account confirmation instructions delivered via email. - The user has not clicked on the confirmation email message yet. - The user requests password reset instructions and gets them via email. - The user successfully follows the password reset instructions. - The user tries to click on the confirmation email, but it is no longer valid. By scoping the deletion to only `reset_password` tokens, the bug is gone and the confirm token will still be valid regardless of the abovementioned process.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.