From 760c14b32c89955ea6744c75b9887ce20fec82f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kaio=20Magalh=C3=A3es?= <me@kaiomagalhaes.com>
Date: Fri, 31 Mar 2017 23:09:03 -0300
Subject: [PATCH 1/2] allow to customize if the user is going to be signed in
 after recover

---
 README.md               | 2 +-
 config.go               | 3 +++
 recover/recover.go      | 4 +++-
 recover/recover_test.go | 6 ++++--
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index fb42d02..1a751a4 100644
--- a/README.md
+++ b/README.md
@@ -267,7 +267,7 @@ provided in the e-mail and their account becomes confirmed, they will automatica
 **How it works:** The user goes to the password recovery page. They then enter their primary ID two times and press recover.
 An e-mail is sent to the user that includes a token that expires after some time. The user clicks the link
 in the e-mail and is prompted to enter a new password. Once the password they enter passes all policies
-their new password is stored, they are logged in and redirected to the RecoverOKPath.
+their new password is stored, they are redirected to the RecoverOkPath and logged in if AllowLoginAfterResetPassword is set to true.
 
 ## <a name="remember"></a> Remember Me (persistent login)
 **Requirements:**
diff --git a/config.go b/config.go
index 96c0c9e..94c95f9 100644
--- a/config.go
+++ b/config.go
@@ -26,6 +26,9 @@ type Config struct {
 	// authboss.StoreEmail, authboss.StoreUsername (StoreEmail is default)
 	PrimaryID string
 
+	// Allow the user to be automatically signed in after reset his password
+	AllowLoginAfterResetPassword bool
+
 	// Layout that all authboss views will be inserted into.
 	Layout *template.Template
 	// LayoutHTMLEmail is for emails going out in HTML form, authbosses e-mail templates
diff --git a/recover/recover.go b/recover/recover.go
index e1ba074..5ceaf81 100644
--- a/recover/recover.go
+++ b/recover/recover.go
@@ -276,7 +276,9 @@ func (r *Recover) completeHandlerFunc(ctx *authboss.Context, w http.ResponseWrit
 			return err
 		}
 
-		ctx.SessionStorer.Put(authboss.SessionKey, primaryID)
+		if r.Authboss.AllowLoginAfterResetPassword {
+			ctx.SessionStorer.Put(authboss.SessionKey, primaryID)
+		}
 		response.Redirect(ctx, w, req, r.AuthLoginOKPath, "", "", true)
 	default:
 		w.WriteHeader(http.StatusMethodNotAllowed)
diff --git a/recover/recover_test.go b/recover/recover_test.go
index 93675cd..79af660 100644
--- a/recover/recover_test.go
+++ b/recover/recover_test.go
@@ -430,6 +430,8 @@ func TestRecover_completeHandlerFunc_POST(t *testing.T) {
 		return nil
 	})
 
+	rec.Authboss.AllowLoginAfterResetPassword = false
+
 	ctx, w, r, sessionStorer := testRequest(rec.Authboss, "POST", "token", testURLBase64Token, authboss.StorePassword, "abcd", "confirm_"+authboss.StorePassword, "abcd")
 
 	if err := rec.completeHandlerFunc(ctx, w, r); err != nil {
@@ -455,8 +457,8 @@ func TestRecover_completeHandlerFunc_POST(t *testing.T) {
 		t.Error("Expected EventPasswordReset callback to have been fired")
 	}
 
-	if val, ok := sessionStorer.Get(authboss.SessionKey); !ok || val != "john" {
-		t.Error("Expected SessionKey to be:", "john")
+	if _, ok := sessionStorer.Get(authboss.SessionKey); ok {
+		t.Error("Should not have logged the user in since AllowInsecureLoginAfterConfirm is false.")
 	}
 
 	if w.Code != http.StatusFound {

From def30d71dda21a3dd932aaa2280de5f6a652ec66 Mon Sep 17 00:00:00 2001
From: Kaio <me@kaiomagalhaes.com>
Date: Mon, 3 Apr 2017 10:46:52 -0300
Subject: [PATCH 2/2] improve readme for the recover password topic

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 1a751a4..65c2a79 100644
--- a/README.md
+++ b/README.md
@@ -267,7 +267,8 @@ provided in the e-mail and their account becomes confirmed, they will automatica
 **How it works:** The user goes to the password recovery page. They then enter their primary ID two times and press recover.
 An e-mail is sent to the user that includes a token that expires after some time. The user clicks the link
 in the e-mail and is prompted to enter a new password. Once the password they enter passes all policies
-their new password is stored, they are redirected to the RecoverOkPath and logged in if AllowLoginAfterResetPassword is set to true.
+their new password is stored, they are redirected to the RecoverOkPath. If the AllowLoginAfterResetPassword property is set
+to true, the user will also be automatically logged in. The default for this property is set to false.
 
 ## <a name="remember"></a> Remember Me (persistent login)
 **Requirements:**