fix: encode reset link email in param because it's rendered in view later

app/controllers/application_controller.rb

@@ -286,7 +286,8 @@ class ApplicationController < ActionController::Base
       end
 
       send_login_token_or_bufferize(current_instructeur)
-      redirect_to link_sent_path(email: current_instructeur.email)
+      signed_email = message_verifier.generate(current_instructeur.email, purpose: :reset_link, expires_in: 1.hour)
+      redirect_to link_sent_path(email: signed_email)
     end
   end
 

app/controllers/users/sessions_controller.rb

@@ -25,12 +25,16 @@ class Users::SessionsController < Devise::SessionsController
     if send_login_token_or_bufferize(current_instructeur)
       flash[:notice] = "Nous venons de vous renvoyer un nouveau lien de connexion sécurisée à #{APPLICATION_NAME}"
     end
-    redirect_to link_sent_path(email: current_instructeur.email)
+
+    signed_email = message_verifier.generate(current_instructeur.email, purpose: :reset_link, expires_in: 1.hour)
+    redirect_to link_sent_path(email: signed_email)
   end
 
   def link_sent
-    if StrictEmailValidator::REGEXP.match?(params[:email])
-      @email = params[:email]
+    email = message_verifier.verify(params[:email], purpose: :reset_link) rescue nil
+
+    if StrictEmailValidator::REGEXP.match?(email)
+      @email = email
     else
       redirect_to root_path
     end

spec/controllers/users/sessions_controller_spec.rb

@@ -225,7 +225,9 @@ describe Users::SessionsController, type: :controller do
   describe '#link_sent' do
     render_views
 
-    before { get :link_sent, params: { email: link_email } }
+    before { get :link_sent, params: { email: signed_email } }
+
+    let(:signed_email) { controller.message_verifier.generate(link_email, purpose: :reset_link) }
 
     context 'when the email is legit' do
       let(:link_email) { 'a@a.com' }