Add User#will_save_change_to_login? to clear reset_password_tokens

Devise checks before updating any of the authentication_keys if it needs to clear the reset_password_tokens. This should fix: https://gitlab.com/gitlab-org/gitlab-ce/issues/42733 (Weak authentication and session management)
author: Sebastian Arcila Valenzuela <sarcila@gitlab.com> 2019-08-12 16:41:05 +0300
committer: Sebastian Arcila Valenzuela <sarcila@gitlab.com> 2019-08-21 14:16:17 +0300
commit: 8184200705a0755db17e9b1eeb58dab7e8cc6d25 (patch)
tree: 58008d8c6be5a2463f44980e3e866fc8a17e729f /changelogs
parent: b07a6a1292757f0f4138069802afbd793f495df6 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-sarcila-fix-weak-session-management.yml b/changelogs/unreleased/security-sarcila-fix-weak-session-management.yml
new file mode 100644
index 00000000000..a37a3099519
--- /dev/null
+++ b/changelogs/unreleased/security-sarcila-fix-weak-session-management.yml
@@ -0,0 +1,6 @@
+---
+title: Fix weak session management by clearing password reset tokens after login (username/email)
+  are updated
+merge_request:
+author:
+type: security
author	Sebastian Arcila Valenzuela <sarcila@gitlab.com>	2019-08-12 16:41:05 +0300
committer	Sebastian Arcila Valenzuela <sarcila@gitlab.com>	2019-08-21 14:16:17 +0300
commit	8184200705a0755db17e9b1eeb58dab7e8cc6d25 (patch)
tree	58008d8c6be5a2463f44980e3e866fc8a17e729f /changelogs
parent	b07a6a1292757f0f4138069802afbd793f495df6 (diff)