From cc21e4ce81341b7d1be6a718b6452c80d7871d91 Mon Sep 17 00:00:00 2001
From: Dmytro Shteflyuk <kpumuk@kpumuk.info>
Date: Thu, 29 May 2025 13:30:23 -0400
Subject: [PATCH] Do not set unlock_token attribute to undigested value after
 unlocking user with token

---
 lib/devise/models/lockable.rb | 4 +---
 test/models/lockable_test.rb  | 2 ++
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/devise/models/lockable.rb b/lib/devise/models/lockable.rb
index 6ab0ce747e..37b10fa1a8 100644
--- a/lib/devise/models/lockable.rb
+++ b/lib/devise/models/lockable.rb
@@ -187,12 +187,10 @@ def send_unlock_instructions(attributes = {})
         # If the user is not locked, creates an error for the user
         # Options must have the unlock_token
         def unlock_access_by_token(unlock_token)
-          original_token = unlock_token
-          unlock_token   = Devise.token_generator.digest(self, :unlock_token, unlock_token)
+          unlock_token = Devise.token_generator.digest(self, :unlock_token, unlock_token)
 
           lockable = find_or_initialize_with_error_by(:unlock_token, unlock_token)
           lockable.unlock_access! if lockable.persisted?
-          lockable.unlock_token = original_token
           lockable
         end
 
diff --git a/test/models/lockable_test.rb b/test/models/lockable_test.rb
index b1d8cab0d4..961f7c1a94 100644
--- a/test/models/lockable_test.rb
+++ b/test/models/lockable_test.rb
@@ -201,7 +201,9 @@ def setup
     raw  = user.send_unlock_instructions
     locked_user = User.unlock_access_by_token(raw)
     assert_equal user, locked_user
+    assert_not locked_user.changed?
     assert_not user.reload.access_locked?
+    assert_nil user.reload.unlock_token
   end
 
   test 'should return a new record with errors when a invalid token is given' do