Keep email confirmation token on password update.

priv/templates/phx.gen.auth/context_functions.ex

@@ -197,14 +197,7 @@
       |> <%= inspect schema.alias %>.password_changeset(attrs)
       |> <%= inspect schema.alias %>.validate_current_password(password)
 
-    Ecto.Multi.new()
-    |> Ecto.Multi.update(:<%= schema.singular %>, changeset)
-    |> Ecto.Multi.delete_all(:tokens, <%= inspect schema.alias %>Token.by_<%= schema.singular %>_and_contexts_query(<%= schema.singular %>, :all))
-    |> Repo.transaction()
-    |> case do
-      {:ok, %{<%= schema.singular %>: <%= schema.singular %>}} -> {:ok, <%= schema.singular %>}
-      {:error, :<%= schema.singular %>, changeset, _} -> {:error, changeset}
-    end
+    update_password(<%= schema.singular %>, changeset)
   end
 
   ## Session
@@ -333,9 +326,15 @@
 
   """
   def reset_<%= schema.singular %>_password(<%= schema.singular %>, attrs) do
+    update_password(<%= schema.singular %>, <%= inspect schema.alias %>.password_changeset(<%= schema.singular %>, attrs))
+  end
+
+  defp update_password(<%= schema.singular %>, changeset) do
+    tokens_query = <%= inspect schema.alias %>Token.by_<%= schema.singular %>_except_contexts_query(<%= schema.singular %>, ["confirm"])
+
     Ecto.Multi.new()
-    |> Ecto.Multi.update(:<%= schema.singular %>, <%= inspect schema.alias %>.password_changeset(<%= schema.singular %>, attrs))
-    |> Ecto.Multi.delete_all(:tokens, <%= inspect schema.alias %>Token.by_<%= schema.singular %>_and_contexts_query(<%= schema.singular %>, :all))
+    |> Ecto.Multi.update(:<%= schema.singular %>, changeset)
+    |> Ecto.Multi.delete_all(:tokens, tokens_query)
     |> Repo.transaction()
     |> case do
       {:ok, %{<%= schema.singular %>: <%= schema.singular %>}} -> {:ok, <%= schema.singular %>}

priv/templates/phx.gen.auth/schema_token.ex

@@ -169,12 +169,22 @@ defmodule <%= inspect schema.module %>Token do
   end
 
   @doc """
-  Gets all tokens for the given <%= schema.singular %> for the given contexts.
+  Gets all tokens for the given <%= schema.singular %>.
   """
-  def by_<%= schema.singular %>_and_contexts_query(<%= schema.singular %>, :all) do
+  def by_<%= schema.singular %>_query(<%= schema.singular %>) do
     from t in <%= inspect schema.alias %>Token, where: t.<%= schema.singular %>_id == ^<%= schema.singular %>.id
   end
 
+  @doc """
+  Gets all tokens for the given <%= schema.singular %> except the given contexts.
+  """
+  def by_<%= schema.singular %>_except_contexts_query(<%= schema.singular %>, [_ | _] = contexts) do
+    from t in <%= inspect schema.alias %>Token, where: t.<%= schema.singular %>_id == ^<%= schema.singular %>.id and t.context not in ^contexts
+  end
+
+  @doc """
+  Gets all tokens for the given <%= schema.singular %> for the given contexts.
+  """
   def by_<%= schema.singular %>_and_contexts_query(<%= schema.singular %>, [_ | _] = contexts) do
     from t in <%= inspect schema.alias %>Token, where: t.<%= schema.singular %>_id == ^<%= schema.singular %>.id and t.context in ^contexts
   end

priv/templates/phx.gen.auth/settings_live.ex

@@ -69,6 +69,7 @@ defmodule <%= inspect context.web_module %>.<%= inspect Module.concat(schema.web
             type="password"
             label="Confirm new password"
             autocomplete="new-password"
+            required
           />
           <.input
             field={@password_form[:current_password]}

priv/templates/phx.gen.auth/test_cases.exs

@@ -293,15 +293,17 @@
       assert <%= inspect context.alias %>.get_<%= schema.singular %>_by_email_and_password(<%= schema.singular %>.email, "new valid password")
     end
 
-    test "deletes all tokens for the given <%= schema.singular %>", %{<%= schema.singular %>: <%= schema.singular %>} do
+    test "deletes all tokens except confirmation for the given <%= schema.singular %>", %{<%= schema.singular %>: <%= schema.singular %>} do
       _ = <%= inspect context.alias %>.generate_<%= schema.singular %>_session_token(<%= schema.singular %>)
+      _ = <%= inspect context.alias %>.deliver_<%= schema.singular %>_reset_password_instructions(<%= schema.singular %>, & &1)
+      _ = <%= inspect context.alias %>.deliver_<%= schema.singular %>_confirmation_instructions(<%= schema.singular %>, & &1)
 
       {:ok, _} =
         <%= inspect context.alias %>.update_<%= schema.singular %>_password(<%= schema.singular %>, valid_<%= schema.singular %>_password(), %{
           password: "new valid password"
         })
 
-      refute Repo.get_by(<%= inspect schema.alias %>Token, <%= schema.singular %>_id: <%= schema.singular %>.id)
+      assert [%<%= inspect schema.alias %>Token{context: "confirm"}] = Repo.all(<%= inspect schema.alias %>Token.by_<%= schema.singular %>_query(<%= schema.singular %>))
     end
   end
 
@@ -488,10 +490,13 @@
       assert <%= inspect context.alias %>.get_<%= schema.singular %>_by_email_and_password(<%= schema.singular %>.email, "new valid password")
     end
 
-    test "deletes all tokens for the given <%= schema.singular %>", %{<%= schema.singular %>: <%= schema.singular %>} do
+    test "deletes all tokens except confirmation for the given <%= schema.singular %>", %{<%= schema.singular %>: <%= schema.singular %>} do
       _ = <%= inspect context.alias %>.generate_<%= schema.singular %>_session_token(<%= schema.singular %>)
+      _ = <%= inspect context.alias %>.deliver_<%= schema.singular %>_reset_password_instructions(<%= schema.singular %>, & &1)
+      _ = <%= inspect context.alias %>.deliver_<%= schema.singular %>_confirmation_instructions(<%= schema.singular %>, & &1)
+
       {:ok, _} = <%= inspect context.alias %>.reset_<%= schema.singular %>_password(<%= schema.singular %>, %{password: "new valid password"})
-      refute Repo.get_by(<%= inspect schema.alias %>Token, <%= schema.singular %>_id: <%= schema.singular %>.id)
+      assert [%<%= inspect schema.alias %>Token{context: "confirm"}] = Repo.all(<%= inspect schema.alias %>Token.by_<%= schema.singular %>_query(<%= schema.singular %>))
     end
   end