Merge pull request #374 from jakubrohleder/feature/password-reset-wit…

…h-check-fix

Feature/password reset with check fix

app/controllers/devise_token_auth/passwords_controller.rb

@@ -90,6 +90,9 @@ def edit
         # ensure that user is confirmed
         @resource.skip_confirmation! if @resource.devise_modules.include?(:confirmable) && !@resource.confirmed_at
 
+        # allow user to change password once without current_password
+        @resource.allow_password_change = true;
+
         @resource.save!
         yield if block_given?
 
@@ -121,6 +124,8 @@ def update
       end
 
       if @resource.send(resource_update_method, password_resource_params)
+        @resource.allow_password_change = false
+
         yield if block_given?
         return render_update_success
       else
@@ -131,10 +136,10 @@ def update
     protected
 
     def resource_update_method
-      if DeviseTokenAuth.check_current_password_before_update != false
-        "update_with_password"
-      else
+      if DeviseTokenAuth.check_current_password_before_update == false or @resource.allow_password_change == true
         "update_attributes"
+      else
+        "update_with_password"
       end
     end
 

app/models/devise_token_auth/concerns/user.rb

@@ -44,6 +44,12 @@ def self.tokens_match?(token_hash, token)
     # get rid of dead tokens
     before_save :destroy_expired_tokens
 
+    # allows user to change password without current_password
+    attr_writer :allow_password_change
+    def allow_password_change
+      @allow_password_change || false
+    end
+
     # don't use default devise email validation
     def email_required?
       false
@@ -88,7 +94,7 @@ def send_reset_password_instructions(opts=nil)
 
   module ClassMethods
     protected
-    
+
 
     def tokens_has_json_column_type?
       table_exists? && self.columns_hash['tokens'] && self.columns_hash['tokens'].type.in?([:json, :jsonb])

test/controllers/devise_token_auth/passwords_controller_test.rb

@@ -33,6 +33,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.missing_email")]
         end
       end
+
       describe 'not redirect_url should return 401' do
         before do
           @auth_headers = @resource.create_new_auth_token
@@ -300,6 +301,45 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           end
         end
 
+        describe 'success with after password reset' do
+          before do
+            xhr :post, :create, {
+              email:        @resource.email,
+              redirect_url: @redirect_url
+            }
+
+            @mail = ActionMailer::Base.deliveries.last
+            @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
+            @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+
+            xhr :get, :edit, {
+              reset_password_token: @mail_reset_token,
+              redirect_url: @mail_redirect_url
+            }
+
+            @auth_headers = @resource.create_new_auth_token
+            request.headers.merge!(@auth_headers)
+            @new_password = Faker::Internet.password
+
+            xhr :put, :update, {
+              password: @new_password,
+              password_confirmation: @new_password
+            }
+
+            @data = JSON.parse(response.body)
+            @allow_password_change = @resource.allow_password_change
+            @resource.reload
+          end
+
+          test "request should be successful" do
+            assert_equal 200, response.status
+          end
+
+          test "sets allow_password_change false" do
+            assert_equal false, @allow_password_change
+          end
+        end
+
         describe 'current password mismatch error' do
           before do
             @auth_headers = @resource.create_new_auth_token