tootlab-mastodon/app/controllers/auth/passwords_controller.rb

# frozen_string_literal: true

class Auth::PasswordsController < Devise::PasswordsController
  skip_before_action :check_self_destruct!
  before_action :redirect_invalid_reset_token, only: :edit, unless: :reset_password_token_is_valid?

  layout 'auth'

  def update
    super do |resource|
      if resource.errors.empty?
        resource.session_activations.destroy_all

        resource.revoke_access!
      end
    end
  end

  private

  def redirect_invalid_reset_token
    flash[:error] = I18n.t('auth.invalid_reset_password_token')
    redirect_to new_password_path(resource_name)
  end

  def reset_password_token_is_valid?
    resource_class.with_reset_password_token(params[:reset_password_token]).present?
  end
end
Fix rubocop issues, introduce usage of frozen literal to improve performance 2016-11-15 10:56:29 -05:00			`# frozen_string_literal: true`

Customizing devise views and controllers 2016-03-05 16:43:05 -05:00			`class Auth::PasswordsController < Devise::PasswordsController`
Add SELF_DESTRUCT env variable to process self-destructions in the background (#26439) 2023-10-23 11:46:21 -04:00			`skip_before_action :check_self_destruct!`
Fix `Style/GuardClause` cop in app/controllers (#28420) 2024-01-25 10:13:41 -05:00			`before_action :redirect_invalid_reset_token, only: :edit, unless: :reset_password_token_is_valid?`
Redirect to PasswordController#new when reset_password_token is invalid (#4506) 2017-08-03 11:45:45 -04:00
Customizing devise views and controllers 2016-03-05 16:43:05 -05:00			`layout 'auth'`
Redirect to PasswordController#new when reset_password_token is invalid (#4506) 2017-08-03 11:45:45 -04:00
Fix password change/reset not immediately invalidating other sessions (#12928) While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker. 2020-01-23 18:20:38 -05:00			`def update`
			`super do \|resource\|`
Fix other sessions not being logged out on password change (#14252) While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method 2020-07-07 09:26:31 -04:00			`if resource.errors.empty?`
			`resource.session_activations.destroy_all`
Revoke all authorized applications on password reset (#21325) * Clear sessions on password change * Rename User::clear_sessions to revoke_access for a clearer meaning * Add reset paassword controller test * Use User.find instead of User.find_for_authentication for reset password test * Use redirect and render for better test meaning in reset password Co-authored-by: Effy Elden <effy@effy.space> 2022-12-15 09:47:06 -05:00
			`resource.revoke_access!`
Fix other sessions not being logged out on password change (#14252) While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method 2020-07-07 09:26:31 -04:00			`end`
Fix password change/reset not immediately invalidating other sessions (#12928) While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker. 2020-01-23 18:20:38 -05:00			`end`
			`end`

Redirect to PasswordController#new when reset_password_token is invalid (#4506) 2017-08-03 11:45:45 -04:00			`private`

Fix `Style/GuardClause` cop in app/controllers (#28420) 2024-01-25 10:13:41 -05:00			`def redirect_invalid_reset_token`
			`flash[:error] = I18n.t('auth.invalid_reset_password_token')`
			`redirect_to new_password_path(resource_name)`
Redirect to PasswordController#new when reset_password_token is invalid (#4506) 2017-08-03 11:45:45 -04:00			`end`

			`def reset_password_token_is_valid?`
			`resource_class.with_reset_password_token(params[:reset_password_token]).present?`
			`end`
Customizing devise views and controllers 2016-03-05 16:43:05 -05:00			`end`