users: refactor password reset flow.
The old password reset flow: * User requests a password reset. * Danbooru generates a password reset nonce. * Danbooru emails user a password reset confirmation link. * User follows link to password reset confirmation page. * The link contains a nonce authenticating the user. * User confirms password reset. * Danbooru resets user's password to a random string. * Danbooru emails user their new password in plaintext. The new password reset flow: * User requests a password reset. * Danbooru emails user a password reset link. * User follows link to password edit page. * The link contains a signed_user_id param authenticating the user. * User changes their own password.
This commit is contained in:
evazion
@@ -1,38 +0,0 @@
|
||||
module Maintenance
|
||||
module User
|
||||
class PasswordResetsController < ApplicationController
|
||||
def new
|
||||
@nonce = UserPasswordResetNonce.new
|
||||
end
|
||||
|
||||
def create
|
||||
@nonce = UserPasswordResetNonce.create(nonce_params)
|
||||
if @nonce.errors.any?
|
||||
redirect_to new_maintenance_user_password_reset_path, :notice => @nonce.errors.full_messages.join("; ")
|
||||
else
|
||||
redirect_to new_maintenance_user_password_reset_path, :notice => "Email request sent"
|
||||
end
|
||||
end
|
||||
|
||||
def edit
|
||||
@nonce = UserPasswordResetNonce.where(:email => params[:email], :key => params[:key]).first
|
||||
end
|
||||
|
||||
def update
|
||||
@nonce = UserPasswordResetNonce.where(:email => params[:email], :key => params[:key]).first
|
||||
|
||||
if @nonce
|
||||
@nonce.reset_user!
|
||||
@nonce.destroy
|
||||
redirect_to new_maintenance_user_password_reset_path, :notice => "Password reset; email delivered with new password"
|
||||
else
|
||||
redirect_to new_maintenance_user_password_reset_path, :notice => "Invalid key"
|
||||
end
|
||||
end
|
||||
|
||||
def nonce_params
|
||||
params.fetch(:nonce, {}).permit([:email])
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
14
app/controllers/password_resets_controller.rb
Normal file
14
app/controllers/password_resets_controller.rb
Normal file
@@ -0,0 +1,14 @@
|
||||
class PasswordResetsController < ApplicationController
|
||||
respond_to :html, :xml, :json
|
||||
|
||||
def create
|
||||
@user = User.find_by_name(params.dig(:user, :name))
|
||||
UserMailer.password_reset(@user).deliver_later
|
||||
|
||||
flash[:notice] = "Password reset email sent. Check your email"
|
||||
respond_with(@user, location: new_session_path)
|
||||
end
|
||||
|
||||
def show
|
||||
end
|
||||
end
|
||||
@@ -26,6 +26,6 @@ class PasswordsController < ApplicationController
|
||||
end
|
||||
|
||||
def user_params
|
||||
params.require(:user).permit(%i[old_password password password_confirmation])
|
||||
params.require(:user).permit(%i[signed_user_id old_password password password_confirmation])
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user