Creates a new sessionToken when updating password (parse-community#2266)

* Creates a new sessionToken when updating password

* Adds test ensuring email is properly sent when upgrading from anon

Author: flovilmart

spec/ParseUser.spec.js

@@ -2203,6 +2203,26 @@ describe('Parse.User testing', () => {
     });
   });
 
+  it("invalid session tokens are rejected", (done) => {
+    Parse.User.signUp("asdf", "zxcv", null, {
+      success: function(user) {
+        request.get({
+          url: 'http://localhost:8378/1/classes/AClass',
+          json: true,
+          headers: {
+            'X-Parse-Application-Id': 'test',
+            'X-Parse-Rest-API-Key': 'rest',
+            'X-Parse-Session-Token': 'text'
+          },
+        }, (error, response, body) => {
+          expect(body.code).toBe(209);
+          expect(body.error).toBe('invalid session token');
+          done();
+        })
+      }
+    });
+  });
+
   it_exclude_dbs(['postgres'])('should cleanup null authData keys (regression test for #935)', (done) => {
     let database = new Config(Parse.applicationId).database;
     database.create('_User', {

src/RestWrite.js

@@ -367,6 +367,7 @@ RestWrite.prototype.transformUser = function() {
     }
     if (this.query && !this.auth.isMaster ) {
       this.storage['clearSessions'] = true;
+      this.storage['generateNewSession'] = true;
     }
     return passwordCrypto.hash(this.data.password).then((hashedPassword) => {
       this.data._hashed_password = hashedPassword;
@@ -428,6 +429,10 @@ RestWrite.prototype.createSessionTokenIfNeeded = function() {
   if (this.query) {
     return;
   }
+  return this.createSessionToken();
+}
+
+RestWrite.prototype.createSessionToken = function() {
   var token = 'r:' + cryptoUtils.newToken();
 
   var expiresAt = this.config.generateSessionExpiresAt();
@@ -464,15 +469,21 @@ RestWrite.prototype.handleFollowup = function() {
         }
     };
     delete this.storage['clearSessions'];
-    this.config.database.destroy('_Session', sessionQuery)
+    return this.config.database.destroy('_Session', sessionQuery)
+    .then(this.handleFollowup.bind(this));
+  }
+  
+  if (this.storage && this.storage['generateNewSession']) {
+    delete this.storage['generateNewSession'];
+    return this.createSessionToken()
     .then(this.handleFollowup.bind(this));
   }
 
   if (this.storage && this.storage['sendVerificationEmail']) {
     delete this.storage['sendVerificationEmail'];
     // Fire and forget!
     this.config.userController.sendVerificationEmail(this.data);
-    this.handleFollowup.bind(this);
+    return this.handleFollowup.bind(this);
   }
 };