-
-
Notifications
You must be signed in to change notification settings - Fork 458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add expiring, databaseless password reset tokens #682
Closed
Closed
Changes from all commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
10003db
Start Clearance 2.0 development
derekprior b10a63f
Stop supporting older versions of Ruby and Rails
derekprior 6dd080f
Remove all previously deprecated code
derekprior 5263be0
Use flash alerts rather than notices
derekprior c6f251b
Convert nested `if/else` to `if/elsif/else`
derekprior f30b60d
Remove unused method
derekprior 9ae46df
Remove test setup for Rails 3.x
derekprior 3313a7e
Update RSpec dependency
derekprior 0fb0696
Remove conditionals for older versions of Rails
derekprior 64047ca
Clean up passwords controller
derekprior 13b31ac
Add expiring, databaseless password reset tokens
c3426a2
Extract PasswordResetToken
derekprior b88990c
Use digested encrypted password in reset tokens
derekprior File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,29 +1,8 @@ | ||
if RUBY_VERSION < "2.2.0" | ||
appraise 'rails32' do | ||
gem 'rails', '~> 3.2.21' | ||
end | ||
end | ||
|
||
appraise 'rails40' do | ||
gem 'rails', '~> 4.0.13' | ||
gem 'test-unit' | ||
gem 'mime-types', '~> 2.99' | ||
end | ||
|
||
appraise 'rails41' do | ||
gem 'rails', '~> 4.1.9' | ||
gem 'mime-types', '~> 2.99' | ||
end | ||
|
||
appraise 'rails42' do | ||
gem 'rails', '~> 4.2.0' | ||
gem 'mime-types', '~> 2.99' | ||
end | ||
|
||
if RUBY_VERSION >= "2.2.0" | ||
appraise "rails50" do | ||
gem "rails", "~> 5.0.0.beta3" | ||
gem "rails-controller-testing" | ||
gem "rspec-rails", "~> 3.5.0.beta1" | ||
end | ||
appraise "rails50" do | ||
gem "rails", "~> 5.0.0.beta3" | ||
gem "rails-controller-testing" | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -56,6 +56,8 @@ Clearance.configure do |config| | |
config.routes = true | ||
config.httponly = false | ||
config.mailer_sender = "[email protected]" | ||
config.message_verifier = ActiveSupport::MessageVerifier.new(secret_key_base) | ||
config.password_reset_time_limit = 15.minutes | ||
config.password_strategy = Clearance::PasswordStrategies::BCrypt | ||
config.redirect_url = "/" | ||
config.secure_cookie = false | ||
|
@@ -124,6 +126,15 @@ Clearance.configure do |config| | |
end | ||
``` | ||
|
||
The password reset link contained in the email is configured to expire in 15 | ||
minutes. You can change this with the `password_reset_time_limit` configuration. | ||
|
||
```ruby | ||
Clearance.configure do |config| | ||
config.password_reset_time_limit = 1.hour | ||
end | ||
``` | ||
|
||
### Integrating with Rack Applications | ||
|
||
Clearance adds its session to the Rack environment hash so middleware and other | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,115 +1,72 @@ | ||
require 'active_support/deprecation' | ||
|
||
class Clearance::PasswordsController < Clearance::BaseController | ||
if respond_to?(:before_action) | ||
skip_before_action :require_login, | ||
only: [:create, :edit, :new, :update], | ||
raise: false | ||
skip_before_action :authorize, | ||
only: [:create, :edit, :new, :update], | ||
raise: false | ||
before_action :ensure_existing_user, only: [:edit, :update] | ||
else | ||
skip_before_filter :require_login, | ||
only: [:create, :edit, :new, :update], | ||
raise: false | ||
skip_before_filter :authorize, | ||
only: [:create, :edit, :new, :update], | ||
raise: false | ||
before_filter :ensure_existing_user, only: [:edit, :update] | ||
before_action :ensure_existing_user, only: [:edit, :update] | ||
skip_before_action :require_login, only: [:create, :edit, :new, :update], raise: false | ||
|
||
def new | ||
render template: "passwords/new" | ||
end | ||
|
||
def create | ||
if user = find_user_for_create | ||
user.forgot_password! | ||
deliver_email(user) | ||
end | ||
render template: 'passwords/create' | ||
end | ||
|
||
def edit | ||
@user = find_user_for_edit | ||
render template: 'passwords/edit' | ||
render template: "passwords/create" | ||
end | ||
|
||
def new | ||
render template: 'passwords/new' | ||
def edit | ||
@user = find_user_by_password_reset_token(params[:token]) | ||
render template: "passwords/edit" | ||
end | ||
|
||
def update | ||
@user = find_user_for_update | ||
@user = find_user_by_password_reset_token(params[:token]) | ||
|
||
if @user.update_password password_reset_params | ||
sign_in @user | ||
redirect_to url_after_update | ||
if @user.update_password(password_reset_params) | ||
sign_in(@user) | ||
redirect_to(url_after_update) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes! |
||
else | ||
flash_failure_after_update | ||
render template: 'passwords/edit' | ||
render template: "passwords/edit" | ||
end | ||
end | ||
|
||
private | ||
|
||
def deliver_email(user) | ||
mail = ::ClearanceMailer.change_password(user) | ||
|
||
if mail.respond_to?(:deliver_later) | ||
mail.deliver_later | ||
else | ||
mail.deliver | ||
end | ||
::ClearanceMailer.change_password(user).deliver_later | ||
end | ||
|
||
def password_reset_params | ||
if params.has_key? :user | ||
ActiveSupport::Deprecation.warn %{Since locales functionality was added, accessing params[:user] is no longer supported.} | ||
params[:user][:password] | ||
else | ||
params[:password_reset][:password] | ||
end | ||
end | ||
|
||
def find_user_by_id_and_confirmation_token | ||
user_param = Clearance.configuration.user_id_parameter | ||
|
||
Clearance.configuration.user_model. | ||
find_by_id_and_confirmation_token params[user_param], params[:token].to_s | ||
params[:password_reset][:password] | ||
end | ||
|
||
def find_user_for_create | ||
Clearance.configuration.user_model. | ||
find_by_normalized_email params[:password][:email] | ||
end | ||
|
||
def find_user_for_edit | ||
find_user_by_id_and_confirmation_token | ||
end | ||
|
||
def find_user_for_update | ||
find_user_by_id_and_confirmation_token | ||
def find_user_by_password_reset_token(token) | ||
@user ||= Clearance::PasswordResetToken.new(token).user | ||
end | ||
|
||
def ensure_existing_user | ||
unless find_user_by_id_and_confirmation_token | ||
flash_failure_when_forbidden | ||
unless find_user_by_password_reset_token(params[:token]) | ||
flash_failure_when_invalid | ||
render template: "passwords/new" | ||
end | ||
end | ||
|
||
def flash_failure_when_forbidden | ||
flash.now[:notice] = translate(:forbidden, | ||
scope: [:clearance, :controllers, :passwords], | ||
default: t('flashes.failure_when_forbidden')) | ||
def flash_failure_when_invalid | ||
flash.now[:alert] = translate("flashes.failure_when_password_reset_invalid") | ||
end | ||
|
||
def flash_failure_after_update | ||
flash.now[:notice] = translate(:blank_password, | ||
flash.now[:alert] = translate(:blank_password, | ||
scope: [:clearance, :controllers, :passwords], | ||
default: t('flashes.failure_after_update')) | ||
end | ||
|
||
def url_after_create | ||
sign_in_url | ||
default: t("flashes.failure_after_update")) | ||
end | ||
|
||
def url_after_update | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice.