feat: fix reset passwords bugs - stop leaking between reset/change routes

3 years ago · 31b8522b8d
3 changed files with 9 additions and 8 deletions
--- a/app/controllers/auth/passwords_controller.rb
+++ b/app/controllers/auth/passwords_controller.rb
@ -19,11 +19,13 @@ class Auth::PasswordsController < Devise::PasswordsController
    self.resource = resource_class.send_reset_password_instructions(resource_params)
    yield resource if block_given?
    @minimum_password_length = Devise.password_length.min
    respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name))
  end
  def edit
    super
    @minimum_password_length = Devise.password_length.min
    @confirmation = params["confirmation"]
    render "devise/passwords/reset_password"
  end
@ -44,8 +46,9 @@ class Auth::PasswordsController < Devise::PasswordsController
      end
      respond_with resource, location: after_resetting_password_path_for(resource)
    else
-      set_minimum_password_length
+      @minimum_password_length = Devise.password_length.min
-      respond_with resource, status: :unprocessable_entity
+      @confirmation = resource_params["confirmation"]
      render "devise/passwords/reset_password", status: :unprocessable_entity
    end
  end
--- a/app/views/devise/passwords/edit.html.erb
+++ b/app/views/devise/passwords/edit.html.erb
@ -15,7 +15,7 @@
      <%= f.govuk_password_field :password,
        label: { text: "New password" },
-        hint: @minimum_password_length ? { text: "Your password must be at least #{@minimum_password_length} characters and hard to guess." } : nil,
+        hint: { text: "Your password must be at least #{@minimum_password_length} characters and hard to guess." },
        autocomplete: "new-password" %>
      <%= f.govuk_password_field :password_confirmation,
--- a/app/views/devise/passwords/reset_password.html.erb
+++ b/app/views/devise/passwords/reset_password.html.erb
@ -1,9 +1,5 @@
 <% content_for :title, @confirmation ? I18n.t("user.create_password") : I18n.t("user.reset_password") %>
 <% content_for :before_content do %>
  <%= govuk_back_link(href: :back) %>
 <% end %>
 <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :put }) do |f| %>
  <%= f.hidden_field :reset_password_token %>
  <div class="govuk-grid-row">
@ -16,12 +12,14 @@
      <%= f.govuk_password_field :password,
        label: { text: "New password" },
-        hint: @minimum_password_length ? { text: "Your password must be at least #{@minimum_password_length} characters and hard to guess." } : nil,
+        hint: { text: "Your password must be at least #{@minimum_password_length} characters and hard to guess." },
        autocomplete: "new-password" %>
      <%= f.govuk_password_field :password_confirmation,
        label: { text: "Confirm new password" } %>
      <%= f.hidden_field :confirmation, value: @confirmation %>
      <%= f.govuk_submit "Update" %>
    </div>
  </div>