users: refactor password reset flow.

The old password reset flow:

* User requests a password reset.
* Danbooru generates a password reset nonce.
* Danbooru emails user a password reset confirmation link.
* User follows link to password reset confirmation page.
* The link contains a nonce authenticating the user.
* User confirms password reset.
* Danbooru resets user's password to a random string.
* Danbooru emails user their new password in plaintext.

The new password reset flow:

* User requests a password reset.
* Danbooru emails user a password reset link.
* User follows link to password edit page.
* The link contains a signed_user_id param authenticating the user.
* User changes their own password.

app/views/maintenance/user/password_reset_mailer/confirmation.html.erb

@@ -1,5 +0,0 @@
-<h1>Password Reset Confirmation</h1>
-
-<p>The password for the user "<%= @user.name %>" for the website <%= Danbooru.config.app_name %> has been reset. It is now <code><%= @new_password %></code>.</p>
-
-<p>Please log in to the website and <%= link_to "change your password", edit_user_url(@user, :host => Danbooru.config.hostname, :only_path => false) %> as soon as possible.</p>

app/views/maintenance/user/password_reset_mailer/reset_request.html.erb

@@ -1,4 +0,0 @@
-<h1>Password Reset Request</h1>
-
-<p>Someone has requested that the password for "<%= @user.name %>" for the website <%= Danbooru.config.app_name %> be reset. If you did not request this, then you can ignore this email.</p>
-<p>To reset your password, please visit <%= link_to "this link", edit_maintenance_user_password_reset_url(:host => Danbooru.config.hostname, :only_path => false, :key => @nonce.key, :email => @nonce.email) %>.</p>

app/views/maintenance/user/password_resets/edit.html.erb

@@ -1,19 +0,0 @@
-<% page_title "Reset Password" %>
-<%= render "sessions/secondary_links" %>
-
-<div id="c-maintenance-user-password-resets">
-  <div id="a-edit">
-    <h1>Reset Password</h1>
-
-    <% if @nonce %>
-      <%= form_tag(maintenance_user_password_reset_path, :method => :put) do %>
-        <%= hidden_field_tag :email, params[:email] %>
-        <%= hidden_field_tag :key, params[:key] %>
-        <p>Do you wish to reset your password? A new password will be emailed to you.</p>
-        <%= submit_tag "Reset" %>
-      <% end %>
-    <% else %>
-      <p>Invalid key</p>
-    <% end %>
-  </div>
-</div>

app/views/maintenance/user/password_resets/new.html.erb

@@ -1,20 +0,0 @@
-<% page_title "Reset Password" %>
-<%= render "sessions/secondary_links" %>
-
-<div id="c-maintenance-user-password-resets">
-  <div id="a-new">
-    <h1>Reset Password</h1>
-
-    <p>If you supplied an email address when signing up, <%= Danbooru.config.app_name %> can reset your password. You will receive an email confirming your request for a new password.</p>
-
-    <p>If you didn't supply a valid email address, you are out of luck.</p>
-
-    <%= form_tag(maintenance_user_password_reset_path, :class => "simple_form") do %>
-      <div class="input email required">
-        <label for="nonce_email" class="required">Email</label>
-        <%= text_field :nonce, :email %>
-      </div>
-      <%= submit_tag "Submit" %>
-    <% end %>
-  </div>
-</div>

app/views/password_resets/show.html.erb

@@ -0,0 +1,22 @@
+<% page_title "Reset Password" %>
+<%= render "sessions/secondary_links" %>
+
+<div id="c-password-resets">
+  <div id="a-show">
+    <h1>Reset Password</h1>
+
+    <p>
+      Enter your username below to reset your password. You will be sent an
+      email containing a link to reset your password.
+    </p>
+
+    <p>
+      If your account doesn't have a valid email address, then your password can't be reset.
+    </p>
+
+    <%= edit_form_for(:user, url: password_reset_path, action: :post) do |f| %>
+      <%= f.input :name, label: "Username", input_html: { "data-autocomplete": "user" } %>
+      <%= f.submit "Submit" %>
+    <% end %>
+  </div>
+</div>

app/views/passwords/edit.html.erb

@@ -4,8 +4,14 @@
   <div id="a-edit">
     <h1>Change Password</h1>
 
+    <p>Enter a new password below.</p>
+
     <%= edit_form_for(@user, url: user_password_path(@user)) do |f| %>
-      <%= f.input :old_password, as: :password, hint: "Re-enter your current password." %>
+      <% if params[:signed_user_id] %>
+        <%= f.input :signed_user_id, as: :hidden, input_html: { value: params[:signed_user_id] }  %>
+      <% else %>
+        <%= f.input :old_password, as: :password, hint: "Re-enter your current password." %>
+      <% end %>
       <%= f.input :password, label: "New password", hint: "Must be at least 5 characters long." %>
       <%= f.input :password_confirmation, label: "Confirm new password" %>
       <%= f.submit "Save" %>

app/views/sessions/new.html.erb

@@ -11,7 +11,7 @@
       <%= simple_form_for(:session, url: session_path) do |f| %>
         <%= f.input :url, as: :hidden, input_html: { value: params[:url] } %>
         <%= f.input :name %>
-        <%= f.input :password, hint: link_to("Forgot password?", new_maintenance_user_password_reset_path), input_html: { autocomplete: "password" } %>
+        <%= f.input :password, hint: link_to("Forgot password?", password_reset_path), input_html: { autocomplete: "password" } %>
         <%= f.submit "Login" %>
       <% end %>
 

app/views/user_mailer/password_reset.html.erb

@@ -0,0 +1,22 @@
+<!doctype html>
+<html>
+  <body>
+    <h2>Hi <%= @user.name %>,</h2>
+
+    <p>
+      You recently requested your password to be reset for your <%= Danbooru.config.app_name %>
+      account. Click the link below to login to <%= Danbooru.config.app_name %>
+      and reset your password.
+    </p>
+
+    <p>
+      <%= link_to "Reset password", edit_user_password_url(@user, signed_user_id: Danbooru::MessageVerifier.new(:login).generate(@user.id, expires_in: 30.minutes)) %>
+    </p>
+
+    <p>
+      If you did not request for your <%= Danbooru.config.app_name %> password to
+      be reset, please ignore this email or reply to let us know. This link
+      will only be valid for the next 30 minutes.
+    </p>
+  </body>
+</html>