closes #6242

src/user/reset.js

@@ -119,7 +119,7 @@ UserReset.commit = function (code, password, callback) {
 			user.hashPassword(password, next);
 		},
 		function (hash, next) {
-			async.parallel([
+			async.series([
 				async.apply(user.setUserFields, uid, { password: hash, 'email:confirmed': 1 }),
 				async.apply(db.deleteObjectField, 'reset:uid', code),
 				async.apply(db.sortedSetRemove, 'reset:issueDate', code),
@@ -128,7 +128,10 @@ UserReset.commit = function (code, password, callback) {
 				async.apply(user.auth.resetLockout, uid),
 				async.apply(db.delete, 'uid:' + uid + ':confirm:email:sent'),
 				async.apply(db.sortedSetRemove, 'users:notvalidated', uid),
-			], next);
+				async.apply(UserReset.cleanByUid, uid),
+			], function (err) {
+				next(err);
+			});
 		},
 	], callback);
 };

test/user.js

@@ -471,6 +471,40 @@ describe('User', function () {
 				});
 			});
 		});
+
+		it('.commit() should invalidate old codes', function (done) {
+			var code1;
+			var code2;
+			var uid;
+			async.waterfall([
+				function (next) {
+					User.create({ username: 'doublereseter', email: 'sorry@forgot.com', password: '123456' }, next);
+				},
+				function (_uid, next) {
+					uid = _uid;
+					User.reset.generate(uid, next);
+				},
+				function (code, next) {
+					code1 = code;
+					User.reset.generate(uid, next);
+				},
+				function (code, next) {
+					code2 = code;
+					User.reset.validate(code1, next);
+				},
+				function (isValid, next) {
+					assert(isValid);
+					User.reset.commit(code2, 'newPwd123', next);
+				},
+				function (next) {
+					User.reset.validate(code1, next);
+				},
+				function (isValid, next) {
+					assert(!isValid);
+					next();
+				},
+			], done);
+		});
 	});
 
 	describe('hash methods', function () {