From ac23536c3654733368fd8411ab33ff7b8bcece9c Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Wed, 30 Dec 2020 21:51:45 +0100
Subject: [PATCH] Make sure a password reset token can be used only once

---
 pkg/user/user_password_reset.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkg/user/user_password_reset.go b/pkg/user/user_password_reset.go
index 6d0f0c269f..ed68c16a56 100644
--- a/pkg/user/user_password_reset.go
+++ b/pkg/user/user_password_reset.go
@@ -63,7 +63,9 @@ func ResetPassword(s *xorm.Session, reset *PasswordReset) (err error) {
 	}
 
 	// Save it
+	user.PasswordResetToken = ""
 	_, err = s.
+		Cols("password", "password_reset_token").
 		Where("id = ?", user.ID).
 		Update(&user)
 	if err != nil {