Tighten password reset

test/user.test.js

@@ -1644,7 +1644,6 @@ describe('User', function() {
             if (err) return done(err);
 
             assert.equal(user.email, email);
-
             done();
           });
         });
@@ -1684,6 +1683,35 @@ describe('User', function() {
     });
   });
 
+  describe('password reset without requiring email verification', function() {
+    var email = 'foo1@bar.com';
+    it('disallows temp accessToken creation if email verification is required and done', function(done) {
+      var calledBack = false;
+
+      User.resetPassword({
+        email: 'foo1@bar.com',
+      }, function() {
+        calledBack = true;
+      });
+
+      User.once('resetPasswordRequest', function(info) {
+        assert(info.email);
+        assert(!info.accessToken);
+        assert(!info.accessToken.id);
+        assert.equal(info.accessToken.ttl / 60, 15);
+        assert(calledBack);
+        console.log(info);
+        info.accessToken.user(function(err, user) {
+          if (err) return done(err);
+
+          assert.equal(user.email, email);
+          console.log(user.emailVerified);
+          done();
+        });
+      });
+    });
+  });
+
   describe('ctor', function() {
     it('exports default Email model', function() {
       expect(User.email, 'User.email').to.be.a('function');