jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

users: refactor password reset flow.

Browse Source 
The old password reset flow:

* User requests a password reset.
* Danbooru generates a password reset nonce.
* Danbooru emails user a password reset confirmation link.
* User follows link to password reset confirmation page.
* The link contains a nonce authenticating the user.
* User confirms password reset.
* Danbooru resets user's password to a random string.
* Danbooru emails user their new password in plaintext.

The new password reset flow:

* User requests a password reset.
* Danbooru emails user a password reset link.
* User follows link to password edit page.
* The link contains a signed_user_id param authenticating the user.
* User changes their own password.
This commit is contained in:
evazion
2020-03-08 21:03:36 -05:00
parent f25bace766
commit 5625458f69
30 changed files with 133 additions and 395 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
app/controllers/password_resets_controller.rb Normal file
View File

@@ -0,0 +1,14 @@
class PasswordResetsController < ApplicationController
respond_to :html, :xml, :json
def create
@user = User.find_by_name(params.dig(:user, :name))
UserMailer.password_reset(@user).deliver_later
flash[:notice] = "Password reset email sent. Check your email"
respond_with(@user, location: new_session_path)
end
def show
end
end