users: refactor password reset flow.

The old password reset flow: * User requests a password reset. * Danbooru generates a password reset nonce. * Danbooru emails user a password reset confirmation link. * User follows link to password reset confirmation page. * The link contains a nonce authenticating the user. * User confirms password reset. * Danbooru resets user's password to a random string. * Danbooru emails user their new password in plaintext. The new password reset flow: * User requests a password reset. * Danbooru emails user a password reset link. * User follows link to password edit page. * The link contains a signed_user_id param authenticating the user. * User changes their own password.
2020-03-08 21:03:36 -05:00
parent f25bace766
commit 5625458f69
30 changed files with 133 additions and 395 deletions
--- a/app/controllers/maintenance/user/password_resets_controller.rb
+++ b/app/controllers/maintenance/user/password_resets_controller.rb
@@ -1,38 +0,0 @@
-module Maintenance
-  module User
-    class PasswordResetsController < ApplicationController
-      def new
-        @nonce = UserPasswordResetNonce.new
-      end
-
-      def create
-        @nonce = UserPasswordResetNonce.create(nonce_params)
-        if @nonce.errors.any?
-          redirect_to new_maintenance_user_password_reset_path, :notice => @nonce.errors.full_messages.join("; ")
-        else
-          redirect_to new_maintenance_user_password_reset_path, :notice => "Email request sent"
-        end
-      end
-
-      def edit
-        @nonce = UserPasswordResetNonce.where(:email => params[:email], :key => params[:key]).first
-      end
-
-      def update
-        @nonce = UserPasswordResetNonce.where(:email => params[:email], :key => params[:key]).first
-
-        if @nonce
-          @nonce.reset_user!
-          @nonce.destroy
-          redirect_to new_maintenance_user_password_reset_path, :notice => "Password reset; email delivered with new password"
-        else
-          redirect_to new_maintenance_user_password_reset_path, :notice => "Invalid key"
-        end
-      end
-
-      def nonce_params
-        params.fetch(:nonce, {}).permit([:email])
-      end
-    end
-  end
-end
--- a/app/controllers/password_resets_controller.rb
+++ b/app/controllers/password_resets_controller.rb
@@ -0,0 +1,14 @@
+class PasswordResetsController < ApplicationController
+  respond_to :html, :xml, :json
+
+  def create
+    @user = User.find_by_name(params.dig(:user, :name))
+    UserMailer.password_reset(@user).deliver_later
+
+    flash[:notice] = "Password reset email sent. Check your email"
+    respond_with(@user, location: new_session_path)
+  end
+
+  def show
+  end
+end
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -26,6 +26,6 @@ class PasswordsController < ApplicationController
  end

  def user_params
-    params.require(:user).permit(%i[old_password password password_confirmation])
+    params.require(:user).permit(%i[signed_user_id old_password password password_confirmation])
  end
 end
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -337,7 +337,7 @@ module ApplicationHelper

  def nav_link_match(controller, url)
    url =~ case controller
-    when "sessions", "users", "maintenance/user/password_resets", "admin/users"
+    when "sessions", "users", "admin/users"
      /^\/(session|users)/

    when "comments"
--- a/app/logical/danbooru/message_verifier.rb
+++ b/app/logical/danbooru/message_verifier.rb
@@ -8,12 +8,12 @@ module Danbooru
      @verifier = ActiveSupport::MessageVerifier.new(secret, serializer: JSON, digest: "SHA256")
    end

-    def generate(*options)
-      verifier.generate(*options, purpose: purpose)
+    def generate(*args, **options)
+      verifier.generate(*args, purpose: purpose, **options)
    end

-    def verified(*options)
-      verifier.verified(*options, purpose: purpose)
+    def verify(*args, **options)
+      verifier.verify(*args, purpose: purpose, **options)
    end
  end
 end
--- a/app/logical/danbooru_maintenance.rb
+++ b/app/logical/danbooru_maintenance.rb
@@ -19,7 +19,6 @@ module DanbooruMaintenance
  end

  def weekly
-    safely { UserPasswordResetNonce.prune! }
    safely { TagRelationshipRetirementService.find_and_retire! }
    safely { ApproverPruner.dmail_inactive_approvers! }
  end
--- a/app/logical/session_loader.rb
+++ b/app/logical/session_loader.rb
@@ -16,6 +16,8 @@ class SessionLoader

    if has_api_authentication?
      load_session_for_api
+    elsif params[:signed_user_id]
+      load_param_user(params[:signed_user_id])
    elsif session[:user_id]
      load_session_user
    elsif cookie_password_hash_valid?
@@ -79,6 +81,11 @@ class SessionLoader
    end
  end

+  def load_param_user(signed_user_id)
+    session[:user_id] = Danbooru::MessageVerifier.new(:login).verify(signed_user_id)
+    load_session_user
+  end
+
  def load_session_user
    user = User.find_by_id(session[:user_id])
    CurrentUser.user = user if user
--- a/app/mailers/application_mailer.rb
+++ b/app/mailers/application_mailer.rb
@@ -0,0 +1,3 @@
+class ApplicationMailer < ActionMailer::Base
+  default from: "#{Danbooru.config.canonical_app_name} <#{Danbooru.config.contact_email}>", content_type: "text/html"
+end
--- a/app/mailers/maintenance/user/password_reset_mailer.rb
+++ b/app/mailers/maintenance/user/password_reset_mailer.rb
@@ -1,17 +0,0 @@
-module Maintenance
-  module User
-    class PasswordResetMailer < ActionMailer::Base
-      def reset_request(user, nonce)
-        @user = user
-        @nonce = nonce
-        mail(:to => @user.email, :subject => "#{Danbooru.config.app_name} password reset request", :from => Danbooru.config.contact_email)
-      end
-
-      def confirmation(user, new_password)
-        @user = user
-        @new_password = new_password
-        mail(:to => @user.email, :subject => "#{Danbooru.config.app_name} password reset confirmation", :from => Danbooru.config.contact_email)
-      end
-    end
-  end
-end
--- a/app/mailers/user_mailer.rb
+++ b/app/mailers/user_mailer.rb
@@ -1,10 +1,14 @@
-class UserMailer < ActionMailer::Base
+class UserMailer < ApplicationMailer
  add_template_helper ApplicationHelper
  add_template_helper UsersHelper
-  default :from => Danbooru.config.contact_email, :content_type => "text/html"

  def dmail_notice(dmail)
    @dmail = dmail
    mail(:to => "#{dmail.to.name} <#{dmail.to.email}>", :subject => "#{Danbooru.config.app_name} - Message received from #{dmail.from.name}")
  end
+
+  def password_reset(user)
+    @user = user
+    mail to: "#{@user.name} <#{@user.email}>", subject: "#{Danbooru.config.app_name} password reset request"
+  end
 end
--- a/app/models/dmail.rb
+++ b/app/models/dmail.rb
@@ -121,8 +121,7 @@ class Dmail < ApplicationRecord
    end

    def valid_key?(key)
-      decoded_id = verifier.verified(key)
-      id == decoded_id
+      id == verifier.verify(key)
    end

    def visible_to?(user, key)
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -68,7 +68,7 @@ class User < ApplicationRecord

  has_bit_flags BOOLEAN_ATTRIBUTES, :field => "bit_prefs"

-  attr_accessor :password, :old_password
+  attr_accessor :password, :old_password, :signed_user_id

  after_initialize :initialize_attributes, if: :new_record?
  validates :name, user_name: true, on: :create
@@ -185,36 +185,15 @@ class User < ApplicationRecord

    def encrypt_password_on_update
      return if password.blank?
-      return if old_password.blank?

-      if bcrypt_password == User.sha1(old_password)
+      if signed_user_id.present? && id == Danbooru::MessageVerifier.new(:login).verify(signed_user_id)
+        self.bcrypt_password_hash = User.bcrypt(password)
+      elsif old_password.present? && bcrypt_password == User.sha1(old_password)
        self.bcrypt_password_hash = User.bcrypt(password)
-        return true
      else
        errors[:old_password] << "is incorrect"
-        return false
      end
    end
-
-    def reset_password
-      consonants = "bcdfghjklmnpqrstvqxyz"
-      vowels = "aeiou"
-      pass = ""
-
-      6.times do
-        pass << consonants[rand(21), 1]
-        pass << vowels[rand(5), 1]
-      end
-
-      pass << rand(100).to_s
-      update_column(:bcrypt_password_hash, User.bcrypt(pass))
-      pass
-    end
-
-    def reset_password_and_deliver_notice
-      new_password = reset_password
-      Maintenance::User::PasswordResetMailer.confirmation(self, new_password).deliver_now
-    end
  end

  module AuthenticationMethods
@@ -637,14 +616,6 @@ class User < ApplicationRecord
  end

  module SearchMethods
-    def with_email(email)
-      if email.blank?
-        where("FALSE")
-      else
-        where("email = ?", email)
-      end
-    end
-
    def search(params)
      q = super

--- a/app/models/user_password_reset_nonce.rb
+++ b/app/models/user_password_reset_nonce.rb
@@ -1,28 +0,0 @@
-class UserPasswordResetNonce < ApplicationRecord
-  has_secure_token :key
-  validates_presence_of :email
-  validate :validate_existence_of_email
-  after_create :deliver_notice
-
-  def self.prune!
-    where("created_at < ?", 1.week.ago).destroy_all
-  end
-
-  def deliver_notice
-    Maintenance::User::PasswordResetMailer.reset_request(user, self).deliver_now
-  end
-
-  def validate_existence_of_email
-    if !User.with_email(email).exists?
-      errors[:email] << "is invalid"
-    end
-  end
-
-  def reset_user!
-    user.reset_password_and_deliver_notice
-  end
-
-  def user
-    @user ||= User.with_email(email).first
-  end
-end
--- a/app/views/maintenance/user/password_reset_mailer/confirmation.html.erb
+++ b/app/views/maintenance/user/password_reset_mailer/confirmation.html.erb
@@ -1,5 +0,0 @@
-<h1>Password Reset Confirmation</h1>
-
-<p>The password for the user "<%= @user.name %>" for the website <%= Danbooru.config.app_name %> has been reset. It is now <code><%= @new_password %></code>.</p>
-
-<p>Please log in to the website and <%= link_to "change your password", edit_user_url(@user, :host => Danbooru.config.hostname, :only_path => false) %> as soon as possible.</p>
--- a/app/views/maintenance/user/password_reset_mailer/reset_request.html.erb
+++ b/app/views/maintenance/user/password_reset_mailer/reset_request.html.erb
@@ -1,4 +0,0 @@
-<h1>Password Reset Request</h1>
-
-<p>Someone has requested that the password for "<%= @user.name %>" for the website <%= Danbooru.config.app_name %> be reset. If you did not request this, then you can ignore this email.</p>
-<p>To reset your password, please visit <%= link_to "this link", edit_maintenance_user_password_reset_url(:host => Danbooru.config.hostname, :only_path => false, :key => @nonce.key, :email => @nonce.email) %>.</p>
--- a/app/views/maintenance/user/password_resets/edit.html.erb
+++ b/app/views/maintenance/user/password_resets/edit.html.erb
@@ -1,19 +0,0 @@
-<% page_title "Reset Password" %>
-<%= render "sessions/secondary_links" %>
-
-<div id="c-maintenance-user-password-resets">
-  <div id="a-edit">
-    <h1>Reset Password</h1>
-
-    <% if @nonce %>
-      <%= form_tag(maintenance_user_password_reset_path, :method => :put) do %>
-        <%= hidden_field_tag :email, params[:email] %>
-        <%= hidden_field_tag :key, params[:key] %>
-        <p>Do you wish to reset your password? A new password will be emailed to you.</p>
-        <%= submit_tag "Reset" %>
-      <% end %>
-    <% else %>
-      <p>Invalid key</p>
-    <% end %>
-  </div>
-</div>
--- a/app/views/maintenance/user/password_resets/new.html.erb
+++ b/app/views/maintenance/user/password_resets/new.html.erb
@@ -1,20 +0,0 @@
-<% page_title "Reset Password" %>
-<%= render "sessions/secondary_links" %>
-
-<div id="c-maintenance-user-password-resets">
-  <div id="a-new">
-    <h1>Reset Password</h1>
-
-    <p>If you supplied an email address when signing up, <%= Danbooru.config.app_name %> can reset your password. You will receive an email confirming your request for a new password.</p>
-
-    <p>If you didn't supply a valid email address, you are out of luck.</p>
-
-    <%= form_tag(maintenance_user_password_reset_path, :class => "simple_form") do %>
-      <div class="input email required">
-        <label for="nonce_email" class="required">Email</label>
-        <%= text_field :nonce, :email %>
-      </div>
-      <%= submit_tag "Submit" %>
-    <% end %>
-  </div>
-</div>
--- a/app/views/password_resets/show.html.erb
+++ b/app/views/password_resets/show.html.erb
@@ -0,0 +1,22 @@
+<% page_title "Reset Password" %>
+<%= render "sessions/secondary_links" %>
+
+<div id="c-password-resets">
+  <div id="a-show">
+    <h1>Reset Password</h1>
+
+    <p>
+      Enter your username below to reset your password. You will be sent an
+      email containing a link to reset your password.
+    </p>
+
+    <p>
+      If your account doesn't have a valid email address, then your password can't be reset.
+    </p>
+
+    <%= edit_form_for(:user, url: password_reset_path, action: :post) do |f| %>
+      <%= f.input :name, label: "Username", input_html: { "data-autocomplete": "user" } %>
+      <%= f.submit "Submit" %>
+    <% end %>
+  </div>
+</div>
--- a/app/views/passwords/edit.html.erb
+++ b/app/views/passwords/edit.html.erb
@@ -4,8 +4,14 @@
  <div id="a-edit">
    <h1>Change Password</h1>

+    <p>Enter a new password below.</p>
+
    <%= edit_form_for(@user, url: user_password_path(@user)) do |f| %>
-      <%= f.input :old_password, as: :password, hint: "Re-enter your current password." %>
+      <% if params[:signed_user_id] %>
+        <%= f.input :signed_user_id, as: :hidden, input_html: { value: params[:signed_user_id] }  %>
+      <% else %>
+        <%= f.input :old_password, as: :password, hint: "Re-enter your current password." %>
+      <% end %>
      <%= f.input :password, label: "New password", hint: "Must be at least 5 characters long." %>
      <%= f.input :password_confirmation, label: "Confirm new password" %>
      <%= f.submit "Save" %>
--- a/app/views/sessions/new.html.erb
+++ b/app/views/sessions/new.html.erb
@@ -11,7 +11,7 @@
      <%= simple_form_for(:session, url: session_path) do |f| %>
        <%= f.input :url, as: :hidden, input_html: { value: params[:url] } %>
        <%= f.input :name %>
-        <%= f.input :password, hint: link_to("Forgot password?", new_maintenance_user_password_reset_path), input_html: { autocomplete: "password" } %>
+        <%= f.input :password, hint: link_to("Forgot password?", password_reset_path), input_html: { autocomplete: "password" } %>
        <%= f.submit "Login" %>
      <% end %>

--- a/app/views/user_mailer/password_reset.html.erb
+++ b/app/views/user_mailer/password_reset.html.erb
@@ -0,0 +1,22 @@
+<!doctype html>
+<html>
+  <body>
+    <h2>Hi <%= @user.name %>,</h2>
+
+    <p>
+      You recently requested your password to be reset for your <%= Danbooru.config.app_name %>
+      account. Click the link below to login to <%= Danbooru.config.app_name %>
+      and reset your password.
+    </p>
+
+    <p>
+      <%= link_to "Reset password", edit_user_password_url(@user, signed_user_id: Danbooru::MessageVerifier.new(:login).generate(@user.id, expires_in: 30.minutes)) %>
+    </p>
+
+    <p>
+      If you did not request for your <%= Danbooru.config.app_name %> password to
+      be reset, please ignore this email or reply to let us know. This link
+      will only be valid for the next 30 minutes.
+    </p>
+  </body>
+</html>
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -45,7 +45,6 @@ Rails.application.routes.draw do
    namespace :user do
      resource :count_fixes, only: [:new, :create]
      resource :email_notification, :only => [:show, :destroy]
-      resource :password_reset, :only => [:new, :create, :edit, :update]
      resource :deletion, :only => [:show, :destroy]
      resource :email_change, :only => [:new, :create]
      resource :api_key, :only => [:show, :view, :update, :destroy] do
@@ -153,6 +152,7 @@ Rails.application.routes.draw do
  end
  resources :note_versions, :only => [:index, :show]
  resource :note_previews, :only => [:show]
+  resource :password_reset, only: [:create, :show]
  resources :pixiv_ugoira_frame_data, only: [:index]
  resources :pools do
    member do
--- a/db/migrate/20200309035334_drop_user_password_reset_nonces.rb
+++ b/db/migrate/20200309035334_drop_user_password_reset_nonces.rb
@@ -0,0 +1,7 @@
+require_relative "20110717010705_create_user_password_reset_nonces"
+
+class DropUserPasswordResetNonces < ActiveRecord::Migration[6.0]
+  def change
+    revert CreateUserPasswordResetNonces
+  end
+end
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -3049,38 +3049,6 @@ CREATE SEQUENCE public.user_name_change_requests_id_seq
 ALTER SEQUENCE public.user_name_change_requests_id_seq OWNED BY public.user_name_change_requests.id;


--
-- Name: user_password_reset_nonces; Type: TABLE; Schema: public; Owner: -
--
-
-CREATE TABLE public.user_password_reset_nonces (
-    id integer NOT NULL,
-    key character varying NOT NULL,
-    email character varying NOT NULL,
-    created_at timestamp without time zone NOT NULL,
-    updated_at timestamp without time zone NOT NULL
-);
-
-
--
-- Name: user_password_reset_nonces_id_seq; Type: SEQUENCE; Schema: public; Owner: -
--
-
-CREATE SEQUENCE public.user_password_reset_nonces_id_seq
-    START WITH 1
-    INCREMENT BY 1
-    NO MINVALUE
-    NO MAXVALUE
-    CACHE 1;
-
-
--
-- Name: user_password_reset_nonces_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: -
--
-
-ALTER SEQUENCE public.user_password_reset_nonces_id_seq OWNED BY public.user_password_reset_nonces.id;
-
-
 --
 -- Name: users_id_seq; Type: SEQUENCE; Schema: public; Owner: -
 --
@@ -4142,13 +4110,6 @@ ALTER TABLE ONLY public.user_feedback ALTER COLUMN id SET DEFAULT nextval('publi
 ALTER TABLE ONLY public.user_name_change_requests ALTER COLUMN id SET DEFAULT nextval('public.user_name_change_requests_id_seq'::regclass);


--
-- Name: user_password_reset_nonces id; Type: DEFAULT; Schema: public; Owner: -
--
-
-ALTER TABLE ONLY public.user_password_reset_nonces ALTER COLUMN id SET DEFAULT nextval('public.user_password_reset_nonces_id_seq'::regclass);
-
-
 --
 -- Name: users id; Type: DEFAULT; Schema: public; Owner: -
 --
@@ -4506,14 +4467,6 @@ ALTER TABLE ONLY public.user_name_change_requests
    ADD CONSTRAINT user_name_change_requests_pkey PRIMARY KEY (id);


--
-- Name: user_password_reset_nonces user_password_reset_nonces_pkey; Type: CONSTRAINT; Schema: public; Owner: -
--
-
-ALTER TABLE ONLY public.user_password_reset_nonces
-    ADD CONSTRAINT user_password_reset_nonces_pkey PRIMARY KEY (id);
-
-
 --
 -- Name: users users_pkey; Type: CONSTRAINT; Schema: public; Owner: -
 --
@@ -7323,6 +7276,7 @@ INSERT INTO "schema_migrations" (version) VALUES
 ('20200223042415'),
 ('20200223234015'),
 ('20200306202253'),
-('20200307021204');
+('20200307021204'),
+('20200309035334');


--- a/test/factories/user_password_reset_nonce.rb
+++ b/test/factories/user_password_reset_nonce.rb
@@ -1,3 +0,0 @@
-FactoryBot.define do
-  factory(:user_password_reset_nonce)
-end
--- a/test/functional/maintenance/user/password_resets_controller_test.rb
+++ b/test/functional/maintenance/user/password_resets_controller_test.rb
@@ -1,112 +0,0 @@
-require "test_helper"
-
-module Maintenance
-  module User
-    class PasswordResetsControllerTest < ActionDispatch::IntegrationTest
-      context "A password resets controller" do
-        setup do
-          @user = create(:user, :email => "abc@com.net")
-          ActionMailer::Base.delivery_method = :test
-          ActionMailer::Base.deliveries.clear
-        end
-
-        should "render the new page" do
-          get new_maintenance_user_password_reset_path
-          assert_response :success
-        end
-
-        context "create action" do
-          context "given invalid parameters" do
-            setup do
-              post maintenance_user_password_reset_path, params: {:nonce => {:email => ""}}
-            end
-
-            should "not create a new nonce" do
-              assert_equal(0, UserPasswordResetNonce.count)
-            end
-
-            should "redirect to the new page" do
-              assert_redirected_to new_maintenance_user_password_reset_path
-            end
-
-            should "not deliver an email" do
-              assert_equal(0, ActionMailer::Base.deliveries.size)
-            end
-          end
-
-          context "given valid parameters" do
-            setup do
-              post maintenance_user_password_reset_path, params: {:nonce => {:email => @user.email}}
-            end
-
-            should "create a new nonce" do
-              assert_equal(1, UserPasswordResetNonce.where(:email => @user.email).count)
-            end
-
-            should "redirect to the new page" do
-              assert_redirected_to new_maintenance_user_password_reset_path
-            end
-
-            should "deliver an email to the supplied email address" do
-              assert_equal(1, ActionMailer::Base.deliveries.size)
-            end
-          end
-        end
-
-        context "edit action" do
-          context "with invalid parameters" do
-            setup do
-              get edit_maintenance_user_password_reset_path, params: {:email => "a@b.c"}
-            end
-
-            should "succeed silently" do
-              assert_response :success
-            end
-          end
-
-          context "with valid parameters" do
-            setup do
-              @user = create(:user)
-              @nonce = create(:user_password_reset_nonce, :email => @user.email)
-              ActionMailer::Base.deliveries.clear
-              get edit_maintenance_user_password_reset_path, params: {:email => @nonce.email, :key => @nonce.key}
-            end
-
-            should "succeed" do
-              assert_response :success
-            end
-          end
-        end
-
-        context "update action" do
-          context "with valid parameters" do
-            setup do
-              @user = create(:user)
-              @nonce = create(:user_password_reset_nonce, :email => @user.email)
-              ActionMailer::Base.deliveries.clear
-              @old_password = @user.bcrypt_password_hash
-              put maintenance_user_password_reset_path, params: {:email => @nonce.email, :key => @nonce.key}
-            end
-
-            should "succeed" do
-              assert_redirected_to new_maintenance_user_password_reset_path
-            end
-
-            should "send an email" do
-              assert_equal(1, ActionMailer::Base.deliveries.size)
-            end
-
-            should "change the password" do
-              @user.reload
-              assert_not_equal(@old_password, @user.bcrypt_password_hash)
-            end
-
-            should "delete the nonce" do
-              assert_equal(0, UserPasswordResetNonce.count)
-            end
-          end
-        end
-      end
-    end
-  end
-end
--- a/test/functional/password_resets_controller_test.rb
+++ b/test/functional/password_resets_controller_test.rb
@@ -0,0 +1,25 @@
+require 'test_helper'
+
+class PasswordResetsControllerTest < ActionDispatch::IntegrationTest
+  context "The passwords resets controller" do
+    setup do
+      @user = create(:user)
+    end
+
+    context "show action" do
+      should "work" do
+        get password_reset_path
+        assert_response :success
+      end
+    end
+
+    context "create action" do
+      should "work" do
+        post password_reset_path, params: { user: { name: @user.name } }
+
+        assert_redirected_to new_session_path
+        assert_enqueued_email_with UserMailer, :password_reset, args: [@user]
+      end
+    end
+  end
+end
--- a/test/mailers/previews/user_mailer_preview.rb
+++ b/test/mailers/previews/user_mailer_preview.rb
@@ -3,4 +3,9 @@ class UserMailerPreview < ActionMailer::Preview
    dmail = User.admins.first.dmails.first
    UserMailer.dmail_notice(dmail)
  end
+
+  def password_reset
+    user = User.find(params[:id])
+    UserMailer.password_reset(user)
+  end
 end
--- a/test/unit/user_password_reset_nonce_test.rb
+++ b/test/unit/user_password_reset_nonce_test.rb
@@ -1,48 +0,0 @@
-require 'test_helper'
-
-class UserPasswordResetNonceTest < ActiveSupport::TestCase
-  context "Creating a new nonce" do
-    context "with a valid email" do
-      setup do
-        @user = FactoryBot.create(:user, :email => "aaa@b.net")
-        @nonce = FactoryBot.create(:user_password_reset_nonce, :email => @user.email)
-      end
-
-      should "validate" do
-        assert_equal([], @nonce.errors.full_messages)
-      end
-
-      should "populate the key with a random string" do
-        assert_equal(24, @nonce.key.size)
-      end
-
-      should "reset the password when reset" do
-        @nonce.user.expects(:reset_password_and_deliver_notice)
-        @nonce.reset_user!
-      end
-    end
-
-    context "with a blank email" do
-      setup do
-        @user = FactoryBot.create(:user, :email => "")
-        @nonce = UserPasswordResetNonce.new(:email => "")
-      end
-
-      should "not validate" do
-        @nonce.save
-        assert_equal(["Email can't be blank", "Email is invalid"], @nonce.errors.full_messages.sort)
-      end
-    end
-
-    context "with an invalid email" do
-      setup do
-        @nonce = UserPasswordResetNonce.new(:email => "z@z.net")
-      end
-
-      should "not validate" do
-        @nonce.save
-        assert_equal(["Email is invalid"], @nonce.errors.full_messages)
-      end
-    end
-  end
-end
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@@ -221,12 +221,6 @@ class UserTest < ActiveSupport::TestCase
        assert_equal(["Password is too short (minimum is 5 characters)"], @user.errors.full_messages)
      end

-      should "should be reset" do
-        @user = FactoryBot.create(:user)
-        new_pass = @user.reset_password
-        assert(User.authenticate(@user.name, new_pass), "Authentication should have succeeded")
-      end
-
      should "not change the password if the password and old password are blank" do
        @user = FactoryBot.create(:user, :password => "67890")
        @user.update(password: "", old_password: "")