Allow password reset with token alone #1295

jkeen · 2019-06-02T21:11:56Z

This is an attempt to resurrect the stagnant PR #1072 💀, which allowed for a reset password flow without needing the user to visit the API directly.

user fills out password reset request form

user is sent email

user clicks confirmation link

link leads to the client (instead of the API) with a reset_password_token

user submits password along with reset_password_token

user is now authorized and has a new password

This PR took the existing work of #1072, rebased master on it, fixed a couple of bugs, and updated some tests.

MaicolBen · 2019-06-02T22:11:41Z

@jkeen Awesome! Do you know why the specs are failing?

jkeen · 2019-06-04T15:08:38Z

Looks like after rebasing onto master some of the changes to #create_token now returning an object instead of an array need to get updated in this branch. I'm on it

jkeen · 2019-06-05T02:20:12Z

Now I don't know why the specs are failing.

jkeen · 2019-08-14T02:55:54Z

Finally figured out the intermittent test failure! So tests pass now @MaicolBen

MaicolBen · 2019-08-18T19:48:26Z

Awesome! It'd be great to fix Code Climate but not mandatory, I need to release a version before merging this

…aders

…en is invalid, small refactors for clarity

…re: require_client_password_reset_token to resolve test failures

MaicolBen · 2019-09-01T02:19:26Z

app/controllers/devise_token_auth/passwords_controller.rb

@@ -184,5 +194,23 @@ def validate_redirect_url_param
      return render_create_error_missing_redirect_url unless @redirect_url
      return render_error_not_allowed_redirect_url if blacklisted_redirect_url?
    end
+
+    def build_callback_url(reset_password_token)


can't you use DeviseTokenAuth::Url.generate for this?

MaicolBen · 2019-09-01T02:20:14Z

test/test_helper.rb

  setup { DatabaseCleaner.start }
  teardown { DatabaseCleaner.clean }

+


you can remove these unless it has a purpose

MaicolBen · 2019-09-01T02:20:36Z

test/test_helper.rb

@@ -39,9 +39,12 @@ class ActiveSupport::TestCase
  strategies = { active_record: :transaction,
                 mongoid: :truncation }
  DatabaseCleaner.strategy = strategies[DEVISE_TOKEN_AUTH_ORM]
+  DatabaseCleaner.clean_with(:truncation)


why this change?

It was an attempt to combat the mysterious database constraint violations with duplicate emails while testing.

That validation problem I don't think is related to the changes on this branch, but I'm still trying to resolve it. I just made a change to ensure unique emails, so hopefully that fixes it

… Add tests that hit this codepath

…tion errors (it seems to work without this now)

jkeen · 2019-09-04T14:47:34Z

@MaicolBen updated!

MaicolBen · 2019-09-12T20:57:04Z

@jkeen Thank you!

lucasm-iRonin · 2019-09-20T10:16:52Z

@jkeen thank you!

jkeen force-pushed the forgot_pass_with_reset_password_token branch from f726795 to 18c1c77 Compare June 2, 2019 21:18

jkeen force-pushed the forgot_pass_with_reset_password_token branch 3 times, most recently from fe63b54 to d232301 Compare August 13, 2019 23:15

MaicolBen and others added 6 commits August 26, 2019 12:19

Allow user send new password with reset pasword token without auth he…

be33d63

…aders

Handle case where require_client_password_reset_token is true and tok…

e5623c4

…en is invalid, small refactors for clarity

Update create_token call that returns an object instead of an array

0075413

Don't double parse the uri

5fe8cfe

Tidy up the code path for an easier read, and fix the test teardowns …

84c984d

…re: require_client_password_reset_token to resolve test failures

Use faker for generating unique email addresses

c93de06

jkeen force-pushed the forgot_pass_with_reset_password_token branch from c337593 to c93de06 Compare August 26, 2019 17:20

MaicolBen approved these changes Sep 1, 2019

View reviewed changes

jkeen added 3 commits September 4, 2019 08:16

Use built in DeviseTokenAuth::Url.generate instead of handrolled one.…

a47a82b

… Add tests that hit this codepath

Remove line that was added to combat strange intermittent test valida…

56f1b1f

…tion errors (it seems to work without this now)

Make sure generated email addresses are unique

c49d72e

MaicolBen merged commit b8620bb into lynndylanhurley:master Sep 12, 2019

mcelicalderon mentioned this pull request Oct 22, 2020

userCheckPasswordToken return Type graphql-devise/graphql_devise#133

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow password reset with token alone #1295

Allow password reset with token alone #1295

jkeen commented Jun 2, 2019

MaicolBen commented Jun 2, 2019

jkeen commented Jun 4, 2019

jkeen commented Jun 5, 2019

jkeen commented Aug 14, 2019

MaicolBen commented Aug 18, 2019

MaicolBen Sep 1, 2019

MaicolBen Sep 1, 2019

MaicolBen Sep 1, 2019

jkeen Sep 4, 2019

jkeen commented Sep 4, 2019

MaicolBen commented Sep 12, 2019

lucasm-iRonin commented Sep 20, 2019

		setup { DatabaseCleaner.start }
		teardown { DatabaseCleaner.clean }

Allow password reset with token alone #1295

Allow password reset with token alone #1295

Conversation

jkeen commented Jun 2, 2019

MaicolBen commented Jun 2, 2019

jkeen commented Jun 4, 2019

jkeen commented Jun 5, 2019

jkeen commented Aug 14, 2019

MaicolBen commented Aug 18, 2019

MaicolBen Sep 1, 2019

Choose a reason for hiding this comment

MaicolBen Sep 1, 2019

Choose a reason for hiding this comment

MaicolBen Sep 1, 2019

Choose a reason for hiding this comment

jkeen Sep 4, 2019

Choose a reason for hiding this comment

jkeen commented Sep 4, 2019

MaicolBen commented Sep 12, 2019

lucasm-iRonin commented Sep 20, 2019