More secure feedback message on password reset

app/controllers/users/auth_common.rb

@@ -1,5 +1,23 @@
 # frozen_string_literal: true
 
+class DeviseController
+  # monkey patching devise so it can handle the new default behaviour in rails 7
+  #   redirects
+
+  original_redirect_to = instance_method(:redirect_to)
+  define_method(:redirect_to) do |options, response_options = {}|
+    if options.is_a?(Hash)
+      options[:allow_other_host] = true unless options.key?(:allow_other_host)
+
+    elsif response_options.is_a?(Hash)
+      response_options[:allow_other_host] = true unless response_options.key?(:allow_other_host)
+    end
+
+    original_redirect_to
+      .bind_call(self, options, response_options)
+  end
+end
+
 module Users
   module AuthCommon
     def self.included(klass)

app/controllers/users/passwords_controller.rb

@@ -6,4 +6,11 @@ class Users::PasswordsController < Devise::PasswordsController
   include Users::AuthCommon
 
   before_action :set_site
+
+  # POST /resource/password
+  def create
+    resource_class.send_reset_password_instructions(resource_params)
+
+    redirect_to new_user_password_path, notice: 'If a PlaceCal account is associated with the submitted email address, password reset instructions have been sent.'
+  end
 end

app/controllers/users/sessions_controller.rb

@@ -2,24 +2,6 @@
 
 require_relative 'auth_common'
 
-class DeviseController
-  # monkey patching devise so it can handle the new default behaviour in rails 7
-  #   redirects
-
-  original_redirect_to = instance_method(:redirect_to)
-  define_method(:redirect_to) do |options, response_options = {}|
-    if options.is_a?(Hash)
-      options[:allow_other_host] = true unless options.key?(:allow_other_host)
-
-    elsif response_options.is_a?(Hash)
-      response_options[:allow_other_host] = true unless response_options.key?(:allow_other_host)
-    end
-
-    original_redirect_to
-      .bind_call(self, options, response_options)
-  end
-end
-
 class Users::SessionsController < Devise::SessionsController
   include Users::AuthCommon
 

app/views/devise/passwords/new.html.erb

@@ -1,21 +1,22 @@
 <article class="home margin">
   <div class="card card--plainer">
     <h1 class="center fc-primary">Forgot your password?</h1>
-
+    <p class="center">
+      Enter the email address associated with your PlaceCal account and we will send you an email with password reset instructions.
+    </p>
+    <br>
     <div class="centre form--login">
       <%= form_for(resource, as: resource_name,
                             url: password_path(resource_name),
                             html: { method: :post, class: 'form', data: { turbo: 'false' } }) do |f| %>
 
-      <%= render "devise/shared/error_messages", resource: resource %>
-
       <div class="form__field">
         <%= f.label :email %>
         <%= f.email_field :email, autofocus: true %>
       </div>
       <br>
       <div class="actions">
-        <%= f.submit "Send me reset password instructions", class: "btn btn--big btn--home-3" %>
+        <%= f.submit "Submit", class: "btn btn--big btn--home-3" %>
       </div>
       <% end %>
       <br>

test/integration/devise_redirection_test.rb

@@ -28,11 +28,14 @@ class DeviseRedirectTest < ActionDispatch::IntegrationTest
     click_link 'Forgot your password?'
 
     fill_in 'Email', with: '[email protected]'
-    click_button 'Send me reset password instructions'
+    click_button 'Submit'
 
-    # has redirected to log in page with flash
+    # this now stays on the password reset page
     assert_selector '.alert-success',
-                    text: 'You will receive an email with instructions on how to reset your password in a few minutes.'
+                    text: 'If a PlaceCal account is associated with the submitted email address, password reset instructions have been sent.'
+    assert_equal 'http://lvh.me/users/password/new', current_url
+
+    click_link 'Admin log in'
     assert_equal 'http://lvh.me/users/sign_in', current_url
 
     # now pick up the reset email and extract the link