invalidate password reset tokens when the passwords changes

Check that the previous password is the same as it was when this
password reset request was generated.

flask_security/recoverable.py

@@ -62,11 +62,17 @@ def reset_password_token_status(token):
     """Returns the expired status, invalid status, and user of a password reset
     token. For example::
 
-        expired, invalid, user = reset_password_token_status('...')
+        expired, invalid, user, data = reset_password_token_status('...')
 
     :param token: The password reset token
     """
-    return get_token_status(token, 'reset', 'RESET_PASSWORD')
+    expired, invalid, user, data = get_token_status(token, 'reset', 'RESET_PASSWORD', return_data=True)
+    if not invalid:
+        password_hash = md5(user.password) if user.password else None
+        if password_hash != data[1]:
+            invalid = True
+
+    return expired, invalid, user
 
 
 def update_password(user, password):

flask_security/utils.py

@@ -341,7 +341,7 @@ def send_mail(subject, recipient, template, **context):
     mail.send(msg)
 
 
-def get_token_status(token, serializer, max_age=None):
+def get_token_status(token, serializer, max_age=None, return_data=False):
     """Get the status of a token.
 
     :param token: The token to check
@@ -367,7 +367,11 @@ def get_token_status(token, serializer, max_age=None):
         user = _datastore.find_user(id=data[0])
 
     expired = expired and (user is not None)
-    return expired, invalid, user
+
+    if return_data:
+        return expired, invalid, user, data
+    else:
+        return expired, invalid, user
 
 
 def get_identity_attributes(app=None):