From b8f9b85609754db56808766592aa97ff900b70b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Ribeiro?= <jonnybgod@gmail.com>
Date: Sun, 11 Dec 2016 03:12:54 +0000
Subject: [PATCH] Fix User.resetPassword to call createAccessToken()

This allows User subclasses to override the algorithm used for building
one-time access tokens for password recovery.
---
 common/models/user.js |  2 +-
 test/user.test.js     | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/common/models/user.js b/common/models/user.js
index 92df8f0f..27fafa7c 100644
--- a/common/models/user.js
+++ b/common/models/user.js
@@ -605,7 +605,7 @@ module.exports = function(User) {
         return cb(err);
       }
 
-      user.accessTokens.create({ ttl: ttl }, function(err, accessToken) {
+      user.createAccessToken(ttl, function(err, accessToken) {
         if (err) {
           return cb(err);
         }
diff --git a/test/user.test.js b/test/user.test.js
index 01c42e7f..18967744 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -1884,6 +1884,19 @@ describe('User', function() {
         });
       });
 
+      it('calls createAccessToken() to create the token', function(done) {
+        User.prototype.createAccessToken = function(ttl, cb) {
+          cb(null, new AccessToken({id: 'custom-token'}));
+        };
+
+        User.resetPassword({email: options.email}, function() {});
+
+        User.once('resetPasswordRequest', function(info) {
+          expect(info.accessToken.id).to.equal('custom-token');
+          done();
+        });
+      });
+
       it('Password reset over REST rejected without email address', function(done) {
         request(app)
           .post('/test-users/reset')