reset the ApiToken on password changes/resets (#15433)

* reset the ApiToken on password changes/resets * fix/add tests * fix(typo): test grammar * update new API Token Strings, removed unused one --------- Co-authored-by: Kalista Payne <sabrecat@gmail.com>
2025-12-14 21:27:23 +01:00 · 2025-07-01 19:30:34 +02:00
parent e68661c04b
commit 6fdc072ec3
12 changed files with 106 additions and 74 deletions
--- a/test/api/v3/integration/user/auth/POST-auth_reset-password-set-new-one.js
+++ b/test/api/v3/integration/user/auth/POST-auth_reset-password-set-new-one.js
@@ -238,6 +238,28 @@ describe('POST /user/auth/reset-password-set-new-one', () => {
    expect(isPassValid).to.equal(true);
  });

+  it('changes the apiToken on password reset', async () => {
+    const user = await generateUser();
+    const previousToken = user.apiToken;
+
+    const code = encrypt(JSON.stringify({
+      userId: user._id,
+      expiresAt: moment().add({ days: 1 }),
+    }));
+    await user.updateOne({
+      'auth.local.passwordResetCode': code,
+    });
+
+    await api.post(`${endpoint}`, {
+      newPassword: 'my new password',
+      confirmPassword: 'my new password',
+      code,
+    });
+
+    await user.sync();
+    expect(user.apiToken).to.not.eql(previousToken);
+  });
+
  it('renders the success page and convert the password from sha1 to bcrypt', async () => {
    const user = await generateUser();