From 9db7b5b8648461672c8ee484232ffa81ed5ee107 Mon Sep 17 00:00:00 2001
From: Colin Darie <colin@darie.eu>
Date: Tue, 27 Feb 2024 18:46:06 +0100
Subject: [PATCH] fix: encode reset password email in param because it's
 rendered in view later

---
 app/controllers/application_controller.rb          |  4 ++++
 app/controllers/users/passwords_controller.rb      |  5 +++--
 .../controllers/users/passwords_controller_spec.rb | 14 +++++++++++++-
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index db1e49832..59fce2c3e 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -117,6 +117,10 @@ class ApplicationController < ActionController::Base
     "window.location.href='#{path}'"
   end
 
+  def message_verifier
+    @message_verifier ||= ActiveSupport::MessageVerifier.new(Rails.application.secret_key_base)
+  end
+
   protected
 
   def feature_enabled?(feature_name)
diff --git a/app/controllers/users/passwords_controller.rb b/app/controllers/users/passwords_controller.rb
index 945635d9e..a80535712 100644
--- a/app/controllers/users/passwords_controller.rb
+++ b/app/controllers/users/passwords_controller.rb
@@ -26,7 +26,7 @@ class Users::PasswordsController < Devise::PasswordsController
   # end
 
   def reset_link_sent
-    @email = params[:email]
+    @email = message_verifier.verify(params[:email], purpose: :reset_password) rescue nil
   end
 
   protected
@@ -37,7 +37,8 @@ class Users::PasswordsController < Devise::PasswordsController
 
   def after_sending_reset_password_instructions_path_for(resource_name)
     flash.discard(:notice)
-    users_password_reset_link_sent_path(email: resource.email)
+    signed_email = message_verifier.generate(resource.email, purpose: :reset_password, expires_in: 1.hour)
+    users_password_reset_link_sent_path(email: signed_email)
   end
 
   def try_to_authenticate_instructeur
diff --git a/spec/controllers/users/passwords_controller_spec.rb b/spec/controllers/users/passwords_controller_spec.rb
index 8d3769cf5..607f3c662 100644
--- a/spec/controllers/users/passwords_controller_spec.rb
+++ b/spec/controllers/users/passwords_controller_spec.rb
@@ -43,11 +43,23 @@ describe Users::PasswordsController, type: :controller do
     let(:email) { 'test@example.com' }
 
     it 'displays the page' do
-      get 'reset_link_sent', params: { email: email }
+      signed_email = controller.message_verifier.generate(email, purpose: :reset_password)
+
+      get 'reset_link_sent', params: { email: signed_email }
 
       expect(response).to have_http_status(:ok)
       expect(response).to render_template('reset_link_sent')
       expect(assigns(:email)).to eq email
     end
+
+    context 'when signed email is invalid' do
+      it "does not fail" do
+        get 'reset_link_sent', params: { email: "invalid.message" }
+
+        expect(response).to have_http_status(:ok)
+        expect(response).to render_template('reset_link_sent')
+        expect(assigns(:email)).to be_nil
+      end
+    end
   end
 end