setPassword also removes the link - previous "fixes" were unnecessary

src/core/authentication-flows-processor.ts

@@ -451,10 +451,6 @@ export class AuthenticationFlowsProcessor {
             throw new LinkExpiredError(`ERROR: user ${username} tried to use non-existing link`);
         }
 
-        //this part was persisted in the DB, in order to make sure the activation-link is single-used.
-        //so here we remove it from the DB:
-        await this.removeLinkFromDB( username );
-
         const tokenDate: Date = new Date(tokenData.date);
 
         //check if link is expired:
@@ -467,6 +463,7 @@ export class AuthenticationFlowsProcessor {
         //encrypt the password:
         const encodedPassword: string = shaString(password);
 
+        //store the new password, and also clear the link, to ensure the activation-link is single-used:
         debug("setting password for user " + username);
         await this._authenticationAccountRepository.setPassword(username, encodedPassword);
     }