Class: DeviseTokenAuth::PasswordsController

Inherits:

ApplicationController

• Object
• DeviseController
• ApplicationController
• DeviseTokenAuth::PasswordsController

Defined in:

app/controllers/devise_token_auth/passwords_controller.rb

Instance Method Summary

• #create ⇒ Object

  this action is responsible for generating password reset tokens and sending emails.

• #edit ⇒ Object

  this is where users arrive after visiting the password reset confirmation link.

• #update ⇒ Object

Methods inherited from ApplicationController

#resource_data, #resource_errors

Instance Method Details

#create ⇒ Object

this action is responsible for generating password reset tokens and sending emails

# File 'app/controllers/devise_token_auth/passwords_controller.rb', line 8

def create
  unless resource_params[:email]
    return render_create_error_missing_email
  end

  # give redirect value from params priority
  @redirect_url = params[:redirect_url]

  # fall back to default value if provided
  @redirect_url ||= DeviseTokenAuth.default_password_reset_url

  unless @redirect_url
    return render_create_error_missing_redirect_url
  end

  # if whitelist is set, validate redirect_url against whitelist
  if DeviseTokenAuth.redirect_whitelist
    unless DeviseTokenAuth::Url.whitelisted?(@redirect_url)
      return render_create_error_not_allowed_redirect_url
    end
  end

  # honor devise configuration for case_insensitive_keys
  if resource_class.case_insensitive_keys.include?(:email)
    @email = resource_params[:email].downcase
  else
    @email = resource_params[:email]
  end

  q = "uid = ? AND provider='email'"

  # fix for mysql default case insensitivity
  if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
    q = "BINARY uid = ? AND provider='email'"
  end

  @resource = resource_class.where(q, @email).first

  @errors = nil
  @error_status = 400

  if @resource
    yield @resource if block_given?
    @resource.send_reset_password_instructions({
      email: @email,
      provider: 'email',
      redirect_url: @redirect_url,
      client_config: params[:config_name]
    })

    if @resource.errors.empty?
      return render_create_success
    else
      @errors = @resource.errors
    end
  else
    @errors = [I18n.t("devise_token_auth.passwords.user_not_found", email: @email)]
    @error_status = 404
  end

  if @errors
    return render_create_error
  end
end

#edit ⇒ Object

this is where users arrive after visiting the password reset confirmation link

# File 'app/controllers/devise_token_auth/passwords_controller.rb', line 74

def edit
  @resource = resource_class.reset_password_by_token({
    reset_password_token: resource_params[:reset_password_token]
  })

  if @resource && @resource.id
    client_id  = SecureRandom.urlsafe_base64(nil, false)
    token      = SecureRandom.urlsafe_base64(nil, false)
    token_hash = BCrypt::Password.create(token)
    expiry     = (Time.now + DeviseTokenAuth.token_lifespan).to_i

    @resource.tokens[client_id] = {
      token:  token_hash,
      expiry: expiry
    }

    # ensure that user is confirmed
    @resource.skip_confirmation! if @resource.devise_modules.include?(:confirmable) && !@resource.confirmed_at

    # allow user to change password once without current_password
    @resource.allow_password_change = true;

    @resource.save!
    yield @resource if block_given?

    redirect_to(@resource.build_auth_url(params[:redirect_url], {
      token:          token,
      client_id:      client_id,
      reset_password: true,
      config:         params[:config]
    }))
  else
    render_edit_error
  end
end

#update ⇒ Object

# File 'app/controllers/devise_token_auth/passwords_controller.rb', line 110

def update
  # make sure user is authorized
  unless @resource
    return render_update_error_unauthorized
  end

  # make sure account doesn't use oauth2 provider
  unless @resource.provider == 'email'
    return render_update_error_password_not_required
  end

  # ensure that password params were sent
  unless password_resource_params[:password] && password_resource_params[:password_confirmation]
    return render_update_error_missing_password
  end

  if @resource.send(resource_update_method, password_resource_params)
    @resource.allow_password_change = false

    yield @resource if block_given?
    return render_update_success
  else
    return render_update_error
  end
end