From 31b8522b8d926e2324015c20ea719181f7b072b9 Mon Sep 17 00:00:00 2001
From: natdeanlewissoftwire <nat.dean-lewis@softwire.com>
Date: Thu, 9 Feb 2023 10:01:23 +0000
Subject: [PATCH] feat: fix reset passwords bugs - stop leaking between
 reset/change routes

---
 app/controllers/auth/passwords_controller.rb       | 7 +++++--
 app/views/devise/passwords/edit.html.erb           | 2 +-
 app/views/devise/passwords/reset_password.html.erb | 8 +++-----
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/app/controllers/auth/passwords_controller.rb b/app/controllers/auth/passwords_controller.rb
index bd4b119cf..c76ebaf6a 100644
--- a/app/controllers/auth/passwords_controller.rb
+++ b/app/controllers/auth/passwords_controller.rb
@@ -19,11 +19,13 @@ class Auth::PasswordsController < Devise::PasswordsController
     self.resource = resource_class.send_reset_password_instructions(resource_params)
     yield resource if block_given?
 
+    @minimum_password_length = Devise.password_length.min
     respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name))
   end
 
   def edit
     super
+    @minimum_password_length = Devise.password_length.min
     @confirmation = params["confirmation"]
     render "devise/passwords/reset_password"
   end
@@ -44,8 +46,9 @@ class Auth::PasswordsController < Devise::PasswordsController
       end
       respond_with resource, location: after_resetting_password_path_for(resource)
     else
-      set_minimum_password_length
-      respond_with resource, status: :unprocessable_entity
+      @minimum_password_length = Devise.password_length.min
+      @confirmation = resource_params["confirmation"]
+      render "devise/passwords/reset_password", status: :unprocessable_entity
     end
   end
 
diff --git a/app/views/devise/passwords/edit.html.erb b/app/views/devise/passwords/edit.html.erb
index 94ef6f44c..34137a0d6 100644
--- a/app/views/devise/passwords/edit.html.erb
+++ b/app/views/devise/passwords/edit.html.erb
@@ -15,7 +15,7 @@
 
       <%= f.govuk_password_field :password,
         label: { text: "New password" },
-        hint: @minimum_password_length ? { text: "Your password must be at least #{@minimum_password_length} characters and hard to guess." } : nil,
+        hint: { text: "Your password must be at least #{@minimum_password_length} characters and hard to guess." },
         autocomplete: "new-password" %>
 
       <%= f.govuk_password_field :password_confirmation,
diff --git a/app/views/devise/passwords/reset_password.html.erb b/app/views/devise/passwords/reset_password.html.erb
index 26ee6f590..26b16dd77 100644
--- a/app/views/devise/passwords/reset_password.html.erb
+++ b/app/views/devise/passwords/reset_password.html.erb
@@ -1,9 +1,5 @@
 <% content_for :title, @confirmation ? I18n.t("user.create_password") : I18n.t("user.reset_password") %>
 
-<% content_for :before_content do %>
-  <%= govuk_back_link(href: :back) %>
-<% end %>
-
 <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :put }) do |f| %>
   <%= f.hidden_field :reset_password_token %>
   <div class="govuk-grid-row">
@@ -16,12 +12,14 @@
 
       <%= f.govuk_password_field :password,
         label: { text: "New password" },
-        hint: @minimum_password_length ? { text: "Your password must be at least #{@minimum_password_length} characters and hard to guess." } : nil,
+        hint: { text: "Your password must be at least #{@minimum_password_length} characters and hard to guess." },
         autocomplete: "new-password" %>
 
       <%= f.govuk_password_field :password_confirmation,
         label: { text: "Confirm new password" } %>
 
+      <%= f.hidden_field :confirmation, value: @confirmation %>
+
       <%= f.govuk_submit "Update" %>
     </div>
   </div>