Remove ResetCodes after email change (#1191)

Co-authored-by: Adrià Casajús <adria.casajus@proton.ch>

app/auth/views/change_email.py

@@ -3,7 +3,7 @@ from flask_login import login_user
 
 from app.auth.base import auth_bp
 from app.db import Session
-from app.models import EmailChange
+from app.models import EmailChange, ResetPasswordCode
 
 
 @auth_bp.route("/change_email", methods=["GET", "POST"])
@@ -25,6 +25,7 @@ def change_email():
     user.email = email_change.new_email
 
     EmailChange.delete(email_change.id)
+    ResetPasswordCode.filter_by(user_id=user.id).delete()
     Session.commit()
 
     flash("Your new email has been updated", "success")

tests/auth/test_change_email.py

@@ -0,0 +1,33 @@
+from flask import url_for
+
+from app.db import Session
+from app.models import EmailChange, User, ResetPasswordCode
+from tests.utils import create_new_user, random_token, random_email
+
+
+def test_change_email(flask_client):
+    user = create_new_user()
+    user.activated = False
+    user_id = user.id
+    email_change = EmailChange.create(
+        user_id=user.id,
+        code=random_token(),
+        new_email=random_email(),
+    )
+    reset_id = ResetPasswordCode.create(user_id=user_id, code=random_token()).id
+    email_change_id = email_change.id
+    email_change_code = email_change.code
+    new_email = email_change.new_email
+    Session.commit()
+
+    r = flask_client.get(
+        url_for("auth.change_email", code=email_change_code),
+        follow_redirects=True,
+    )
+
+    assert r.status_code == 200
+
+    user = User.get(user_id)
+    assert user.email == new_email
+    assert EmailChange.get(email_change_id) is None
+    assert ResetPasswordCode.get(reset_id) is None