From 42052c633985df4f403c76739cbe6552e4c1fa77 Mon Sep 17 00:00:00 2001
From: David Parker <dlparker1005@gmail.com>
Date: Mon, 7 Aug 2023 10:50:22 -0400
Subject: [PATCH] Fixing logic for invalidkey error

---
 includes/login.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/includes/login.php b/includes/login.php
index e3ba00be5..6fd0c4ee3 100644
--- a/includes/login.php
+++ b/includes/login.php
@@ -802,7 +802,7 @@ function pmpro_do_password_reset() {
 	// If the key is expired or invalid, figure out the correct error code.
 	if ( is_wp_error( $check ) ) {
 		$error_code = $check->get_error_code() == 'expired_key' ? 'expiredkey' : 'invalidkey';	
-	} elseif ( gettype( $check ) !== 'WP_User' ) {
+	} elseif ( ! is_a( $check,  'WP_User' ) ) {
 		// Probably null/false returned from a plugin filtering the check.
 		$error_code = 'invalidkey';
 	}
@@ -846,7 +846,8 @@ function pmpro_do_password_reset() {
 
 		// Parameter checks OK, reset password.
 		// Note: Can't sanitize the password.
-		reset_password( $user, $_POST['pass1'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		// $check must be a WP_User object at this point, otherwise $error_code would be set and we'd have already redirected.
+		reset_password( $check, $_POST['pass1'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		wp_redirect( add_query_arg( urlencode( 'password' ), urlencode( 'changed' ), $redirect_url ) );
 	} else {
 		esc_html_e( 'Invalid Request', 'paid-memberships-pro' );