[#4066] mark user as verified on confirm password reset

forms/record_password_reset_confirm.go

@@ -6,6 +6,8 @@ import (
 	"github.com/pocketbase/pocketbase/daos"
 	"github.com/pocketbase/pocketbase/forms/validators"
 	"github.com/pocketbase/pocketbase/models"
+	"github.com/pocketbase/pocketbase/tools/security"
+	"github.com/spf13/cast"
 )
 
 // RecordPasswordResetConfirm is an auth record password reset confirmation form.
@@ -91,9 +93,21 @@ func (form *RecordPasswordResetConfirm) Submit(interceptors ...InterceptorFunc[*
 		return nil, err
 	}
 
+	if !authRecord.Verified() {
+		payload, err := security.ParseUnverifiedJWT(form.Token)
+		if err != nil {
+			return nil, err
+		}
+
+		// mark as verified if the email hasn't changed
+		if authRecord.Email() == cast.ToString(payload["email"]) {
+			authRecord.SetVerified(true)
+		}
+	}
+
 	interceptorsErr := runInterceptors(authRecord, func(m *models.Record) error {
 		authRecord = m
-		return form.dao.SaveRecord(m)
+		return form.dao.SaveRecord(authRecord)
 	}, interceptors...)
 
 	if interceptorsErr != nil {