From f4c5198055c17a19bb3a2598bfa24be5dadb9838 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adri=C3=A0=20Casaj=C3=BAs?=
 <acasajus@users.noreply.github.com>
Date: Tue, 26 Jul 2022 14:43:31 +0200
Subject: [PATCH] Remove ResetCodes after email change (#1191)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Adrià Casajús <adria.casajus@proton.ch>
---
 app/auth/views/change_email.py  |  3 ++-
 tests/auth/test_change_email.py | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 tests/auth/test_change_email.py

diff --git a/app/auth/views/change_email.py b/app/auth/views/change_email.py
index 544b6fc9..9e70c882 100644
--- a/app/auth/views/change_email.py
+++ b/app/auth/views/change_email.py
@@ -3,7 +3,7 @@ from flask_login import login_user
 
 from app.auth.base import auth_bp
 from app.db import Session
-from app.models import EmailChange
+from app.models import EmailChange, ResetPasswordCode
 
 
 @auth_bp.route("/change_email", methods=["GET", "POST"])
@@ -25,6 +25,7 @@ def change_email():
     user.email = email_change.new_email
 
     EmailChange.delete(email_change.id)
+    ResetPasswordCode.filter_by(user_id=user.id).delete()
     Session.commit()
 
     flash("Your new email has been updated", "success")
diff --git a/tests/auth/test_change_email.py b/tests/auth/test_change_email.py
new file mode 100644
index 00000000..0b8305f3
--- /dev/null
+++ b/tests/auth/test_change_email.py
@@ -0,0 +1,33 @@
+from flask import url_for
+
+from app.db import Session
+from app.models import EmailChange, User, ResetPasswordCode
+from tests.utils import create_new_user, random_token, random_email
+
+
+def test_change_email(flask_client):
+    user = create_new_user()
+    user.activated = False
+    user_id = user.id
+    email_change = EmailChange.create(
+        user_id=user.id,
+        code=random_token(),
+        new_email=random_email(),
+    )
+    reset_id = ResetPasswordCode.create(user_id=user_id, code=random_token()).id
+    email_change_id = email_change.id
+    email_change_code = email_change.code
+    new_email = email_change.new_email
+    Session.commit()
+
+    r = flask_client.get(
+        url_for("auth.change_email", code=email_change_code),
+        follow_redirects=True,
+    )
+
+    assert r.status_code == 200
+
+    user = User.get(user_id)
+    assert user.email == new_email
+    assert EmailChange.get(email_change_id) is None
+    assert ResetPasswordCode.get(reset_id) is None