ControllerTrait clear token

[jp-insitaction]

Hello,

I use this bundle with Symfony 6.4, to go faster I use the make:reset-password command as indicated in the documentation.

The Controller created from the maker has the method processSendingPasswordResetEmail, this method uses the "ResetPasswordControllerTrait" and its method setTokenObjectInSession, which store this token in the session to be retrieved in the next step, but just before storing the token, it empties it, so in session the token is invalid.

private function setTokenObjectInSession(ResetPasswordToken $token): void
{
    $token->clearToken();

    $this->getSessionService()->set('ResetPasswordToken', $token);
}

Is this an error?

[jrushlow]

Howdy @jp-insitaction - Now this is the intended functionality. I wrote a pretty detailed explainer on this here: #288 (comment) - "step 3" specifically talks about how we use the session to allow for displaying the "lifetime" of the token in the template but also guard against potential attack vectors.

Let me know if you have anymore questions or If that comment doesn't explain it clearly.

[jrushlow]

Closing - Feel free to comment is you still have any questions and we'll open the issue back up. Thanks!