Bugfix: Fix password reset (#455)

app/controllers/devise_overrides/confirmations_controller.rb

@@ -0,0 +1,30 @@
+class DeviseOverrides::ConfirmationsController < Devise::ConfirmationsController
+  skip_before_action :require_no_authentication, raise: false
+  skip_before_action :authenticate_user!, raise: false
+
+  def create
+    @confirmable = User.find_by(confirmation_token: params[:confirmation_token])
+    if @confirmable
+      if @confirmable.confirm || (@confirmable.confirmed_at && @confirmable.reset_password_token)
+        # confirmed now or already confirmed but quit before setting a password
+        render json: { "message": 'Success', "redirect_url": create_reset_token_link(@confirmable) }, status: :ok
+      elsif @confirmable.confirmed_at
+        render json: { "message": 'Already confirmed', "redirect_url": '/' }, status: 422
+      else
+        render json: { "message": 'Failure', "redirect_url": '/' }, status: 422
+      end
+    else
+      render json: { "message": 'Invalid token', "redirect_url": '/' }, status: 422
+    end
+  end
+
+  protected
+
+  def create_reset_token_link(user)
+    raw, enc = Devise.token_generator.generate(user.class, :reset_password_token)
+    user.reset_password_token   = enc
+    user.reset_password_sent_at = Time.now.utc
+    user.save(validate: false)
+    '/app/auth/password/edit?config=default&redirect_url=&reset_password_token=' + raw
+  end
+end

app/controllers/devise_overrides/passwords_controller.rb

@@ -0,0 +1,48 @@
+class DeviseOverrides::PasswordsController < Devise::PasswordsController
+  include AuthHelper
+
+  skip_before_action :require_no_authentication, raise: false
+  skip_before_action :authenticate_user!, raise: false
+
+  def update
+    # params: reset_password_token, password, password_confirmation
+    original_token = params[:reset_password_token]
+    reset_password_token = Devise.token_generator.digest(self, :reset_password_token, original_token)
+    @recoverable = User.find_by(reset_password_token: reset_password_token)
+    if @recoverable && reset_password_and_confirmation(@recoverable)
+      send_auth_headers(@recoverable)
+      render json: {
+        data: @recoverable.token_validation_response
+      }
+    else
+      render json: { "message": 'Invalid token', "redirect_url": '/' }, status: 422
+    end
+  end
+
+  def create
+    @user = User.find_by(email: params[:email])
+    if @user
+      @user.send_reset_password_instructions
+      build_response(I18n.t('messages.reset_password_success'), 200)
+    else
+      build_response(I18n.t('messages.reset_password_failure'), 404)
+    end
+  end
+
+  protected
+
+  def reset_password_and_confirmation(recoverable)
+    recoverable.confirm unless recoverable.confirmed? # confirm if user resets password without confirming anytime before
+    recoverable.reset_password(params[:password], params[:password_confirmation])
+    recoverable.reset_password_token = nil
+    recoverable.confirmation_token = nil
+    recoverable.reset_password_sent_at = nil
+    recoverable.save!
+  end
+
+  def build_response(message, status)
+    render json: {
+      "message": message
+    }, status: status
+  end
+end

app/controllers/devise_overrides/sessions_controller.rb

@@ -0,0 +1,5 @@
+class DeviseOverrides::SessionsController < ::DeviseTokenAuth::SessionsController
+  # Prevent session parameter from being passed
+  # Unpermitted parameter: session
+  wrap_parameters format: []
+end

app/controllers/devise_overrides/token_validations_controller.rb

@@ -0,0 +1,10 @@
+class DeviseOverrides::TokenValidationsController < ::DeviseTokenAuth::TokenValidationsController
+  def validate_token
+    # @resource will have been set by set_user_by_token concern
+    if @resource
+      render 'devise/token.json'
+    else
+      render_validate_token_error
+    end
+  end
+end