Be paranoid when sending password reset emails

This implements what is known as "paranoid" password reset flash
messages (using the terminology from Devise). It avoids revealing
whether the supplied email address is already registered.

Added an explicit test for this situation, so that the test for
email non-existance is separate from the duplicate-case tests.
This commit is contained in:
Andy Allan 2024-03-02 15:48:54 +00:00
parent 664d02982c
commit 4e237db390
3 changed files with 24 additions and 15 deletions

View file

@ -43,12 +43,10 @@ class PasswordsController < ApplicationController
if user
token = user.generate_token_for(:password_reset)
UserMailer.lost_password(user, token).deliver_later
flash[:notice] = t ".notice email on way"
redirect_to login_path
else
flash.now[:error] = t ".notice email cannot find"
render :new
end
flash[:notice] = t ".send_paranoid_instructions"
redirect_to login_path
end
def update