From d6497e62bd0dfe9c4f8250c477e857c1a6834742 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jorge=20Gonz=C3=A1lez?= <steinkel2@gmail.com>
Date: Sat, 11 Apr 2026 19:27:50 +0200
Subject: [PATCH 1/4] Clear token after email activation

activateUser() was setting token_expires to null but leaving the token
value in the database. Old activation links remained usable if token_expires
was ever reset. Now both fields are cleared on activation, consistent
with how PasswordBehavior handles password reset tokens.
---
 src/Model/Behavior/RegisterBehavior.php                | 3 ++-
 tests/TestCase/Model/Behavior/RegisterBehaviorTest.php | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Model/Behavior/RegisterBehavior.php b/src/Model/Behavior/RegisterBehavior.php
index a23453b4..c73dfb19 100644
--- a/src/Model/Behavior/RegisterBehavior.php
+++ b/src/Model/Behavior/RegisterBehavior.php
@@ -128,8 +128,9 @@ public function activateUser(EntityInterface $user)
         if ($user->active) {
             throw new UserAlreadyActiveException(__d('cake_d_c/users', 'User account already validated'));
         }
-        $user->activation_date = new \DateTime();
+        $user->token = null;
         $user->token_expires = null;
+        $user->activation_date = new \DateTime();
         $user->active = true;
 
         return $this->_table->save($user);
diff --git a/tests/TestCase/Model/Behavior/RegisterBehaviorTest.php b/tests/TestCase/Model/Behavior/RegisterBehaviorTest.php
index 7008c25c..54d5476c 100644
--- a/tests/TestCase/Model/Behavior/RegisterBehaviorTest.php
+++ b/tests/TestCase/Model/Behavior/RegisterBehaviorTest.php
@@ -304,6 +304,7 @@ public function testActiveUserRemoveValidationToken()
 
         $result = $this->Behavior->activateUser($user);
         $this->assertSame($result, $user);
+        $this->assertNull($user->token);
         $this->assertNull($user->token_expires);
         $this->assertTrue($user->active);
         $this->assertInstanceOf(\DateTime::class, $user->activation_date);

From 485b672d20a5c74492567b6975f8a73b01ad8dd5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jorge=20Gonz=C3=A1lez?= <steinkel2@gmail.com>
Date: Sat, 11 Apr 2026 19:45:23 +0200
Subject: [PATCH 2/4] fix: update integration test to reflect cleared token
 after activation

Since activation now sets token=null, re-using the old token URL results
in UserNotFoundException instead of TokenExpiredException.
---
 .../Traits/Integration/RegisterTraitIntegrationTest.php         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/TestCase/Controller/Traits/Integration/RegisterTraitIntegrationTest.php b/tests/TestCase/Controller/Traits/Integration/RegisterTraitIntegrationTest.php
index 9c373979..2663f030 100644
--- a/tests/TestCase/Controller/Traits/Integration/RegisterTraitIntegrationTest.php
+++ b/tests/TestCase/Controller/Traits/Integration/RegisterTraitIntegrationTest.php
@@ -123,7 +123,7 @@ public function testRegisterPostOkay()
         //If access again get error
         $this->get($url);
         $this->assertRedirect('/login');
-        $this->assertFlashMessage('Token already expired');
+        $this->assertFlashMessage('Invalid token or user account already validated');
     }
 
     /**

From b1e01eebfa0a0fd863036a742a946139183b3b7a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jorge=20Gonz=C3=A1lez?= <steinkel2@gmail.com>
Date: Sun, 12 Apr 2026 20:09:47 +0200
Subject: [PATCH 3/4] fix cs

---
 src/Model/Behavior/RegisterBehavior.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Model/Behavior/RegisterBehavior.php b/src/Model/Behavior/RegisterBehavior.php
index c73dfb19..f663e64a 100644
--- a/src/Model/Behavior/RegisterBehavior.php
+++ b/src/Model/Behavior/RegisterBehavior.php
@@ -128,10 +128,10 @@ public function activateUser(EntityInterface $user)
         if ($user->active) {
             throw new UserAlreadyActiveException(__d('cake_d_c/users', 'User account already validated'));
         }
-        $user->token = null;
-        $user->token_expires = null;
-        $user->activation_date = new \DateTime();
-        $user->active = true;
+        $user->set('token', null);
+        $user->set('token_expires', null);
+        $user->set('activation_date', new \DateTime());
+        $user->set('active', true);
 
         return $this->_table->save($user);
     }

From 0e1eb0bf9e34809ac71e407bd762844737a56203 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jorge=20Gonz=C3=A1lez?= <steinkel2@gmail.com>
Date: Sun, 12 Apr 2026 20:15:47 +0200
Subject: [PATCH 4/4] remove baseline outdated

---
 phpstan-baseline.neon | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/phpstan-baseline.neon b/phpstan-baseline.neon
index 79146eb5..1550fe42 100644
--- a/phpstan-baseline.neon
+++ b/phpstan-baseline.neon
@@ -60,24 +60,12 @@ parameters:
 			count: 1
 			path: src/Model/Behavior/LinkSocialBehavior.php
 
-		-
-			message: '#^Access to an undefined property Cake\\Datasource\\EntityInterface\:\:\$activation_date\.$#'
-			identifier: property.notFound
-			count: 1
-			path: src/Model/Behavior/RegisterBehavior.php
-
 		-
 			message: '#^Access to an undefined property Cake\\Datasource\\EntityInterface\:\:\$active\.$#'
 			identifier: property.notFound
 			count: 1
 			path: src/Model/Behavior/RegisterBehavior.php
 
-		-
-			message: '#^Access to an undefined property Cake\\Datasource\\EntityInterface\:\:\$token_expires\.$#'
-			identifier: property.notFound
-			count: 1
-			path: src/Model/Behavior/RegisterBehavior.php
-
 		-
 			message: '#^Access to an undefined property Cake\\Datasource\\EntityInterface\:\:\$validated\.$#'
 			identifier: property.notFound