fix(verifyToken): remove token once used

password & email tokens must be removed after use fix #5
adonisjs · Mar 31, 2018 · 328c22b · 328c22b
1 parent dc02443
commit 328c22b
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/src/Persona.js b/src/Persona.js
@@ -222,6 +222,21 @@ class Persona {
     return row && row.getRelated('user') ? row : null
   }
 
+  /**
+   * Remvoes the token from the tokens table
+   *
+   * @method removeToken
+   *
+   * @param  {String}    token
+   * @param  {String}    type
+   *
+   * @return {void}
+   */
+  async removeToken (token, type) {
+    const query = this.getModel().prototype.tokens().RelatedModel.query()
+    await query.where('token', token).where('type', type).delete()
+  }
+
   /**
    * Returns the model class
    *
@@ -544,6 +559,7 @@ class Persona {
      */
     if (user.account_status === this.config.newAccountState) {
       user.account_status = this.config.verifiedAccountState
+      this.removeToken(token, 'email')
       await user.save()
     }
 
@@ -733,9 +749,10 @@ class Persona {
     const user = tokenRow.getRelated('user')
     this._setPassword(user, this._getPassword(payload))
 
-    this.Event.fire('password::recovered', { user })
     await user.save()
+    await this.removeToken(token, 'password')
 
+    this.Event.fire('password::recovered', { user })
     return user
   }
 }

diff --git a/test/persona.spec.js b/test/persona.spec.js
@@ -257,6 +257,9 @@ test.group('Persona', (group) => {
 
     await user.reload()
     assert.equal(user.account_status, 'active')
+
+    const tokens = await user.tokens().fetch()
+    assert.equal(tokens.size(), 0)
   })
 
   test('do not set to active when initial state is not pending', async (assert) => {
@@ -644,6 +647,9 @@ test.group('Persona', (group) => {
     Event.restore()
 
     await user.reload()
+    const tokens = await user.tokens().fetch()
+    assert.equal(tokens.size(), 0)
+
     const verified = await use('Hash').verify('newsecret', user.password)
     assert.isTrue(verified)
   })