prevent disabled user to be automaticaly logged in after password reset

config/services.yaml

@@ -204,6 +204,12 @@ services:
             $dispatcher: '@event_dispatcher'
         tags: ['controller.service_arguments']
 
+    App\EventListener\PreventDisabledUserAutoLoginListener:
+        arguments:
+            $tokenStorage: '@security.token_storage'
+        tags:
+            - { name: kernel.event_subscriber }
+
     app.flux.listener:
         class: App\Listener\FluxListener
         tags:

src/EventListener/PreventDisabledUserAutoLoginListener.php

+<?php
+
+namespace App\EventListener;
+
+use FOS\UserBundle\FOSUserEvents;
+use FOS\UserBundle\Event\FilterUserResponseEvent;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+
+class PreventDisabledUserAutoLoginListener implements EventSubscriberInterface
+{
+    private $tokenStorage;
+
+    public function __construct(TokenStorageInterface $tokenStorage)
+    {
+        $this->tokenStorage = $tokenStorage;
+    }
+
+    public static function getSubscribedEvents()
+    {
+        return [
+            FOSUserEvents::RESETTING_RESET_COMPLETED => ['onResettingCompleted', 999], // high priority
+        ];
+    }
+
+    public function onResettingCompleted(FilterUserResponseEvent $event)
+    {
+        $user = $event->getUser();
+
+        if (!$user->isEnabled()) {
+            // Delete authentication token so disabled user isn't automaticaly connected after resetting password
+            $this->tokenStorage->setToken(null);
+        }
+    }
+}
\ No newline at end of file