mirror of
https://github.com/we-promise/sure.git
synced 2026-04-07 14:31:25 +00:00
64 lines
1.7 KiB
Ruby
64 lines
1.7 KiB
Ruby
class PasswordResetsController < ApplicationController
|
|
skip_authentication
|
|
|
|
layout "auth"
|
|
|
|
before_action :ensure_password_resets_enabled
|
|
before_action :set_user_by_token, only: %i[edit update]
|
|
|
|
def new
|
|
end
|
|
|
|
def create
|
|
if (user = User.find_by(email: params[:email]))
|
|
# Security: Block password reset for SSO-only users.
|
|
# These users have no local password and must authenticate via SSO.
|
|
unless user.sso_only?
|
|
PasswordMailer.with(
|
|
user: user,
|
|
token: user.generate_token_for(:password_reset)
|
|
).password_reset.deliver_later
|
|
end
|
|
end
|
|
|
|
# Always redirect to pending step to prevent email enumeration
|
|
redirect_to new_password_reset_path(step: "pending")
|
|
end
|
|
|
|
def edit
|
|
@user = User.new
|
|
end
|
|
|
|
def update
|
|
# Security: Block password setting for SSO-only users.
|
|
# Defense-in-depth: even if they somehow get a reset token, block the update.
|
|
if @user.sso_only?
|
|
redirect_to new_session_path, alert: t("password_resets.sso_only_user")
|
|
return
|
|
end
|
|
|
|
if @user.update(password_params)
|
|
redirect_to new_session_path, notice: t(".success")
|
|
else
|
|
render :edit, status: :unprocessable_entity
|
|
end
|
|
end
|
|
|
|
private
|
|
|
|
def ensure_password_resets_enabled
|
|
return if AuthConfig.password_features_enabled?
|
|
|
|
redirect_to new_session_path, alert: t("password_resets.disabled")
|
|
end
|
|
|
|
def set_user_by_token
|
|
@user = User.find_by_token_for(:password_reset, params[:token])
|
|
redirect_to new_password_reset_path, alert: t("password_resets.update.invalid_token") unless @user.present?
|
|
end
|
|
|
|
def password_params
|
|
params.require(:user).permit(:password, :password_confirmation)
|
|
end
|
|
end
|