cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use rails tokens for password resets

Browse source
This commit is contained in:
Tom Hughes 2023-12-07 18:30:12 +00:00
parent b42d48ff65
commit b8fad531e4
5 changed files with 18 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.rubocop_todo.yml
View file

@ -66,7 +66,7 @@ Metrics/BlockNesting:
# Offense count: 26
# Configuration parameters: CountComments, CountAsOne.
Metrics/ClassLength:
Max: 305
Max: 307
# Offense count: 59
# Configuration parameters: AllowedMethods, AllowedPatterns.

18
app/controllers/passwords_controller.rb
View file

@ -19,11 +19,10 @@ class PasswordsController < ApplicationController
@title = t ".title"
if params[:token]
token = UserToken.find_by(:token => params[:token])
self.current_user = User.find_by_token_for(:password_reset, params[:token]) ||
UserToken.unexpired.find_by(:token => params[:token])&.user
if token
self.current_user = token.user
else
if current_user.nil?
flash[:error] = t ".flash token bad"
redirect_to :action => "new"
end
@ -42,7 +41,7 @@ class PasswordsController < ApplicationController
end
if user
token = user.tokens.create
token = user.generate_token_for(:password_reset)
UserMailer.lost_password(user, token).deliver_later
flash[:notice] = t ".notice email on way"
redirect_to login_path
@ -54,11 +53,10 @@ class PasswordsController < ApplicationController
def update
if params[:token]
token = UserToken.find_by(:token => params[:token])
if token
self.current_user = token.user
self.current_user = User.find_by_token_for(:password_reset, params[:token]) ||
UserToken.unexpired.find_by(:token => params[:token])&.user
if current_user
if params[:user]
current_user.pass_crypt = params[:user][:pass_crypt]
current_user.pass_crypt_confirmation = params[:user][:pass_crypt_confirmation]
@ -66,7 +64,7 @@ class PasswordsController < ApplicationController
current_user.email_valid = true
if current_user.save
token.destroy
UserToken.delete_by(:token => params[:token])
session[:fingerprint] = current_user.fingerprint
flash[:notice] = t ".flash changed"
successful_login(current_user)

2
app/mailers/user_mailer.rb
View file

@ -34,7 +34,7 @@ class UserMailer < ApplicationMailer
def lost_password(user, token)
with_recipient_locale user do
@url = user_reset_password_url(:token => token.token)
@url = user_reset_password_url(:token => token)
mail :to => user.email,
:subject => t(".subject")

4
app/models/user.rb
View file

@ -124,6 +124,10 @@ class User < ApplicationRecord
before_save :update_tile
after_save :spam_check
generates_token_for :password_reset, :expires_in => 1.week do
fingerprint
end
def display_name_cannot_be_user_id_with_other_id
display_name&.match(/^user_(\d+)$/i) do |m|
errors.add :display_name, I18n.t("activerecord.errors.messages.display_name_is_user_n") unless m[1].to_i == id

8
test/controllers/passwords_controller_test.rb
View file

@ -127,21 +127,21 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
assert_redirected_to :action => :new
# Create a valid token for a user
token = user.tokens.create
token = user.generate_token_for(:password_reset)
# Test a request with a valid token
get user_reset_password_path, :params => { :token => token.token }
get user_reset_password_path, :params => { :token => token }
assert_response :success
assert_template :edit
# Test that errors are reported for erroneous submissions
post user_reset_password_path, :params => { :token => token.token, :user => { :pass_crypt => "new_password", :pass_crypt_confirmation => "different_password" } }
post user_reset_password_path, :params => { :token => token, :user => { :pass_crypt => "new_password", :pass_crypt_confirmation => "different_password" } }
assert_response :success
assert_template :edit
assert_select "div.invalid-feedback"
# Test setting a new password
post user_reset_password_path, :params => { :token => token.token, :user => { :pass_crypt => "new_password", :pass_crypt_confirmation => "new_password" } }
post user_reset_password_path, :params => { :token => token, :user => { :pass_crypt => "new_password", :pass_crypt_confirmation => "new_password" } }
assert_response :redirect
assert_redirected_to root_path
assert_equal user.id, session[:user]