users: refactor password reset flow.
The old password reset flow: * User requests a password reset. * Danbooru generates a password reset nonce. * Danbooru emails user a password reset confirmation link. * User follows link to password reset confirmation page. * The link contains a nonce authenticating the user. * User confirms password reset. * Danbooru resets user's password to a random string. * Danbooru emails user their new password in plaintext. The new password reset flow: * User requests a password reset. * Danbooru emails user a password reset link. * User follows link to password edit page. * The link contains a signed_user_id param authenticating the user. * User changes their own password.
This commit is contained in:
evazion
22
app/views/user_mailer/password_reset.html.erb
Normal file
22
app/views/user_mailer/password_reset.html.erb
Normal file
@@ -0,0 +1,22 @@
|
||||
<!doctype html>
|
||||
<html>
|
||||
<body>
|
||||
<h2>Hi <%= @user.name %>,</h2>
|
||||
|
||||
<p>
|
||||
You recently requested your password to be reset for your <%= Danbooru.config.app_name %>
|
||||
account. Click the link below to login to <%= Danbooru.config.app_name %>
|
||||
and reset your password.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
<%= link_to "Reset password", edit_user_password_url(@user, signed_user_id: Danbooru::MessageVerifier.new(:login).generate(@user.id, expires_in: 30.minutes)) %>
|
||||
</p>
|
||||
|
||||
<p>
|
||||
If you did not request for your <%= Danbooru.config.app_name %> password to
|
||||
be reset, please ignore this email or reply to let us know. This link
|
||||
will only be valid for the next 30 minutes.
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
||||
Reference in New Issue
Block a user