From 8a084379175f72fc8e9827f6052add1d8116befc Mon Sep 17 00:00:00 2001
From: Antti Hukkanen <antti.hukkanen@mainiotech.fi>
Date: Mon, 18 Sep 2023 20:43:03 +0300
Subject: [PATCH] Do not accept expired invitation on password reset

---
 lib/devise_invitable/models.rb |  4 ++--
 test/models/invitable_test.rb  | 17 +++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/lib/devise_invitable/models.rb b/lib/devise_invitable/models.rb
index 2cc5b05c..4be378de 100644
--- a/lib/devise_invitable/models.rb
+++ b/lib/devise_invitable/models.rb
@@ -195,7 +195,7 @@ def unauthenticated_message
       def clear_reset_password_token
         reset_password_token_present = reset_password_token.present?
         super
-        accept_invitation! if reset_password_token_present && invited_to_sign_up?
+        accept_invitation! if reset_password_token_present && valid_invitation?
       end
 
       def clear_errors_on_valid_keys
@@ -231,7 +231,7 @@ def invitation_due_at
       def add_taken_error(key)
         errors.add(key, :taken)
       end
-    
+
       def invitation_taken?
         !invited_to_sign_up?
       end
diff --git a/test/models/invitable_test.rb b/test/models/invitable_test.rb
index d0a6a2a9..8e8fd19e 100644
--- a/test/models/invitable_test.rb
+++ b/test/models/invitable_test.rb
@@ -279,6 +279,23 @@ def setup
     refute_predicate user, :invited_to_sign_up?
   end
 
+  test 'should not accept expired invitation while resetting the password' do
+    User.stubs(:invite_for).returns(1.day)
+    user = User.invite!(email: 'valid@email.com')
+    assert user.invited_to_sign_up?
+    user.invitation_created_at = Time.now.utc - 2.days
+    token, user.reset_password_token = Devise.token_generator.generate(User, :reset_password_token)
+    user.reset_password_sent_at = Time.now.utc
+    user.save
+
+    assert user.reset_password_token.present?
+    assert user.invitation_token.present?
+    User.reset_password_by_token(reset_password_token: token, password: '123456789', password_confirmation: '123456789')
+    assert_nil user.reload.reset_password_token
+    assert user.reload.invitation_token.present?
+    assert user.reload.invited_to_sign_up?
+  end
+
   test 'should not accept invitation on failing to reset the password' do
     user = User.invite!(email: 'valid@email.com')
     assert user.invited_to_sign_up?