From b3c5e836d55e08b4c36151685e71202a157aaf5a Mon Sep 17 00:00:00 2001
From: Carmen <carmen@oursky.com>
Date: Tue, 22 Mar 2016 20:26:38 +0800
Subject: [PATCH] Clear reset password token after reset password.
 `_perishable_token` is not a parse field, cannot clear it through rest.
 Update it separately. #951

---
 src/Controllers/UserController.js | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/Controllers/UserController.js b/src/Controllers/UserController.js
index 97cc35aa..d4e3355e 100644
--- a/src/Controllers/UserController.js
+++ b/src/Controllers/UserController.js
@@ -168,7 +168,15 @@ export class UserController extends AdaptableController {
   updatePassword(username, token, password, config) {
    return this.checkResetTokenValidity(username, token).then((user) => {
      return updateUserPassword(user._id, password, this.config);
-   });
+   }).then(() => {
+      // clear reset password token
+      return this.config.database.adaptiveCollection('_User').then(function (collection) {
+        // Need direct database access because verification token is not a parse field
+        return collection.findOneAndUpdate({ username: username },// query
+          { $set: { _perishable_token: null } } // update
+        );
+      });
+    });
   }
 
   defaultVerificationEmail({link, user, appName, }) {
@@ -195,8 +203,7 @@ export class UserController extends AdaptableController {
 // Mark this private
 function updateUserPassword(userId, password, config) {
     return rest.update(config, Auth.master(config), '_User', userId, {
-      password: password,
-      _perishable_token: null
+      password: password
     });
  }