submit-social-housing-letti.../app/controllers/auth/passwords_controller.rb

class Auth::PasswordsController < Devise::PasswordsController
  include Helpers::Email

  def reset_confirmation
    self.resource = resource_class.new
    @email = params["email"]
    if @email.blank?
      resource.errors.add :email, I18n.t("validations.email.blank")
      render "devise/passwords/new", status: :unprocessable_entity
    elsif !email_valid?(@email)
      resource.errors.add :email, I18n.t("validations.email.invalid")
      render "devise/passwords/new", status: :unprocessable_entity
    else
      render "devise/passwords/reset_resend_confirmation"
    end
  end

  def create
    self.resource = resource_class.send_reset_password_instructions(resource_params)
    yield resource if block_given?

    @minimum_password_length = Devise.password_length.min
    respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name))
  end

  def edit
    super
    @minimum_password_length = Devise.password_length.min
    @confirmation = params["confirmation"]
    render "devise/passwords/reset_password"
  end

  def update
    self.resource = resource_class.reset_password_by_token(resource_params)
    yield resource if block_given?

    if resource.errors.empty?
      resource.unlock_access! if unlockable?(resource)
      if Devise.sign_in_after_reset_password
        set_flash_message!(:notice, password_update_flash_message)
        resource.after_database_authentication
        sign_in(resource_name, resource)
        set_2fa_required
      else
        set_flash_message!(:notice, :updated_not_active)
      end
      respond_with resource, location: after_resetting_password_path_for(resource)
    else
      @minimum_password_length = Devise.password_length.min
      @confirmation = resource_params["confirmation"]
      render "devise/passwords/reset_password", status: :unprocessable_entity
    end
  end

protected

  def set_2fa_required
    return unless resource.respond_to?(:need_two_factor_authentication?) &&
      resource.need_two_factor_authentication?(request)

    warden.session(resource_class.name.underscore)[DeviseTwoFactorAuthentication::NEED_AUTHENTICATION] = true
  end

  def password_update_flash_message
    resource.need_two_factor_authentication?(request) ? :updated_2FA : :updated
  end

  def after_sending_reset_password_instructions_path_for(_resource)
    account_password_reset_confirmation_path(email: params.dig("user", "email"))
  end

  def after_resetting_password_path_for(resource)
    if Devise.sign_in_after_reset_password
      if resource.need_two_factor_authentication?(request)
        resource.send_new_otp
        send("#{resource_name}_two_factor_authentication_path")
      else
        after_sign_in_path_for(resource)
      end
    else
      new_session_path(resource_name)
    end
  end
end
Invite new user (#134) * Clean up user routes * Make user registerable * Merge * Turbo devise strikes again * URL naming * Dashes not underscores * Consistent syntax * Turning off turbo changes our html * Update password link not working yet * New user path * Password edit path * Updating password keeps you signed in and redirects to show * Set new user org * Write a failing spec for user creation * Reset user password and redirect back to org users page * Test redirect * Use invite template * Request specs over feature specs * Add email validation 3 years ago			`class Auth::PasswordsController < Devise::PasswordsController`
Reset password validation (#125) * Add email validation to reset password form * Revert extracting CSS file by default since it messes with tests * Add label to change password * Error summary should be above title 3 years ago			`include Helpers::Email`

pass first reset confirmation test 3 years ago			`def reset_confirmation`
Reset password validation (#125) * Add email validation to reset password form * Revert extracting CSS file by default since it messes with tests * Add label to change password * Error summary should be above title 3 years ago			`self.resource = resource_class.new`
make a step to protect emails 3 years ago			`@email = params["email"]`
minor change in the reset confirmation method to avoid errors if email in params is nil (#1676) 1 year ago			`if @email.blank?`
Sentry fixes (#373) * Show validation error if user email already exists instead of crashing * Use translation strings * When answer option is mapped just display directly * Validate provider type presence 3 years ago			`resource.errors.add :email, I18n.t("validations.email.blank")`
Reset password validation (#125) * Add email validation to reset password form * Revert extracting CSS file by default since it messes with tests * Add label to change password * Error summary should be above title 3 years ago			`render "devise/passwords/new", status: :unprocessable_entity`
			`elsif !email_valid?(@email)`
Sentry fixes (#373) * Show validation error if user email already exists instead of crashing * Use translation strings * When answer option is mapped just display directly * Validate provider type presence 3 years ago			`resource.errors.add :email, I18n.t("validations.email.invalid")`
Reset password validation (#125) * Add email validation to reset password form * Revert extracting CSS file by default since it messes with tests * Add label to change password * Error summary should be above title 3 years ago			`render "devise/passwords/new", status: :unprocessable_entity`
			`else`
Confirmable (#580) * Confirmable * Remove obsolete rake task * Skip confirmation for inactive users * Send beta onboarding template if migrated from Softwire * Default controller * Use correct link * Redirect confirmation to set password * Confirm account within 3 days * Only redirect to set password if not previously set * Rubocop * Confirm factory bot users * Set password condition * Changing email requires reconfirming * No need to explicitly trigger email, devise does that for us now * Remove flash banner * Mock notify * Mock in the right spec * Test redirect and text * User is confirmable * Rubocop * Redirect to url so we don't bypass authenticity token * Update content * Add test for resend invite flow * Update link to resend confirmation email * Rename password reset resend confirmation partial * Expired link error page * Remove resend confirmation link * Update seed * Expory contact * Time zone Co-authored-by: Paul Robert Lloyd <me+git@paulrobertlloyd.com> 2 years ago			`render "devise/passwords/reset_resend_confirmation"`
Reset password validation (#125) * Add email validation to reset password form * Revert extracting CSS file by default since it messes with tests * Add label to change password * Error summary should be above title 3 years ago			`end`
lint fixes 3 years ago			`end`
pass first reset confirmation test 3 years ago
add test around protecting emails 3 years ago			`def create`
			`self.resource = resource_class.send_reset_password_instructions(resource_params)`
			`yield resource if block_given?`

CLDC-1900 improve expired join links (#1265) * feat: update expired join link page * feat: update controller * feat: show invalid page if token invalid * feat: add password hint_text * feat: use new templates * refactor: min password length simplification * feat: add dynamic template selection * feat: revert devise behaviour * feat: fix initial confirmation sent behaviour * feat: show invalid page if link invalid * test: update * test: add tests for path * db: update * refactor: linting * feat: move initial_confirmation_sent update * feat: add further reconfirmation to tests * refactor: simplify by removing before_action * revert password hint text update (added to cldc-1963 instead) * feat: reset initial_confirmation_sent if deactivated * feat: reset initial_confirmation_sent if deactivated * feat: add flash notice for already confirmed * feat: fix reset passwords bugs - stop leaking between reset/change routes * test: add tests for change vs reset password routes * feat: add reset password persistence 2 years ago			`@minimum_password_length = Devise.password_length.min`
add test around protecting emails 3 years ago			`respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name))`
			`end`

Fix password reset flow (#157) * Render gov uk reset view * Pass password reset token * Test password update and sign in * The cop is working 3 years ago			`def edit`
			`super`
CLDC-1900 improve expired join links (#1265) * feat: update expired join link page * feat: update controller * feat: show invalid page if token invalid * feat: add password hint_text * feat: use new templates * refactor: min password length simplification * feat: add dynamic template selection * feat: revert devise behaviour * feat: fix initial confirmation sent behaviour * feat: show invalid page if link invalid * test: update * test: add tests for path * db: update * refactor: linting * feat: move initial_confirmation_sent update * feat: add further reconfirmation to tests * refactor: simplify by removing before_action * revert password hint text update (added to cldc-1963 instead) * feat: reset initial_confirmation_sent if deactivated * feat: reset initial_confirmation_sent if deactivated * feat: add flash notice for already confirmed * feat: fix reset passwords bugs - stop leaking between reset/change routes * test: add tests for change vs reset password routes * feat: add reset password persistence 2 years ago			`@minimum_password_length = Devise.password_length.min`
Confirmable (#580) * Confirmable * Remove obsolete rake task * Skip confirmation for inactive users * Send beta onboarding template if migrated from Softwire * Default controller * Use correct link * Redirect confirmation to set password * Confirm account within 3 days * Only redirect to set password if not previously set * Rubocop * Confirm factory bot users * Set password condition * Changing email requires reconfirming * No need to explicitly trigger email, devise does that for us now * Remove flash banner * Mock notify * Mock in the right spec * Test redirect and text * User is confirmable * Rubocop * Redirect to url so we don't bypass authenticity token * Update content * Add test for resend invite flow * Update link to resend confirmation email * Rename password reset resend confirmation partial * Expired link error page * Remove resend confirmation link * Update seed * Expory contact * Time zone Co-authored-by: Paul Robert Lloyd <me+git@paulrobertlloyd.com> 2 years ago			`@confirmation = params["confirmation"]`
Fix sending reset email for admins (#313) * Fix sending reset email for admins * Reset does not let you bypass 2FA * Trigger SMS on admin password reset * Update flash message for 2FA * Update Admin Login header * Rubocop * 422 * Revert unused view 3 years ago			`render "devise/passwords/reset_password"`
			`end`

			`def update`
			`self.resource = resource_class.reset_password_by_token(resource_params)`
			`yield resource if block_given?`

			`if resource.errors.empty?`
			`resource.unlock_access! if unlockable?(resource)`
			`if Devise.sign_in_after_reset_password`
			`set_flash_message!(:notice, password_update_flash_message)`
			`resource.after_database_authentication`
			`sign_in(resource_name, resource)`
CLDC-1016: Fix 2FA bypass (#367) * Failing test * Simplest thing to make spec pass * Extract to method * Set condition based on class having the 2fa module rather than hardcoding class name 3 years ago			`set_2fa_required`
Fix sending reset email for admins (#313) * Fix sending reset email for admins * Reset does not let you bypass 2FA * Trigger SMS on admin password reset * Update flash message for 2FA * Update Admin Login header * Rubocop * 422 * Revert unused view 3 years ago			`else`
			`set_flash_message!(:notice, :updated_not_active)`
			`end`
			`respond_with resource, location: after_resetting_password_path_for(resource)`
			`else`
CLDC-1900 improve expired join links (#1265) * feat: update expired join link page * feat: update controller * feat: show invalid page if token invalid * feat: add password hint_text * feat: use new templates * refactor: min password length simplification * feat: add dynamic template selection * feat: revert devise behaviour * feat: fix initial confirmation sent behaviour * feat: show invalid page if link invalid * test: update * test: add tests for path * db: update * refactor: linting * feat: move initial_confirmation_sent update * feat: add further reconfirmation to tests * refactor: simplify by removing before_action * revert password hint text update (added to cldc-1963 instead) * feat: reset initial_confirmation_sent if deactivated * feat: reset initial_confirmation_sent if deactivated * feat: add flash notice for already confirmed * feat: fix reset passwords bugs - stop leaking between reset/change routes * test: add tests for change vs reset password routes * feat: add reset password persistence 2 years ago			`@minimum_password_length = Devise.password_length.min`
			`@confirmation = resource_params["confirmation"]`
			`render "devise/passwords/reset_password", status: :unprocessable_entity`
Fix sending reset email for admins (#313) * Fix sending reset email for admins * Reset does not let you bypass 2FA * Trigger SMS on admin password reset * Update flash message for 2FA * Update Admin Login header * Rubocop * 422 * Revert unused view 3 years ago			`end`
Fix password reset flow (#157) * Render gov uk reset view * Pass password reset token * Test password update and sign in * The cop is working 3 years ago			`end`

lint fixes 3 years ago			`protected`
pass first reset confirmation test 3 years ago
CLDC-1016: Fix 2FA bypass (#367) * Failing test * Simplest thing to make spec pass * Extract to method * Set condition based on class having the 2fa module rather than hardcoding class name 3 years ago			`def set_2fa_required`
			`return unless resource.respond_to?(:need_two_factor_authentication?) &&`
			`resource.need_two_factor_authentication?(request)`

RubyGems 2FA gem (#710) * RubyGems 2FA gem * Overriding private methods is a bad time 2 years ago			`warden.session(resource_class.name.underscore)[DeviseTwoFactorAuthentication::NEED_AUTHENTICATION] = true`
CLDC-1016: Fix 2FA bypass (#367) * Failing test * Simplest thing to make spec pass * Extract to method * Set condition based on class having the 2fa module rather than hardcoding class name 3 years ago			`end`

Fix sending reset email for admins (#313) * Fix sending reset email for admins * Reset does not let you bypass 2FA * Trigger SMS on admin password reset * Update flash message for 2FA * Update Admin Login header * Rubocop * 422 * Revert unused view 3 years ago			`def password_update_flash_message`
CLDC-1100: Add a Customer Support user role (#454) * A support role exists that can see all case logs * Support role requires 2FA * Support user sees 2FA code screen on login * Use email for OTP code * Ensure resend paths work * Support user can see additional organisation columns on logs page * Simpler test * Remove spec description spaces 3 years ago			`resource.need_two_factor_authentication?(request) ? :updated_2FA : :updated`
Fix sending reset email for admins (#313) * Fix sending reset email for admins * Reset does not let you bypass 2FA * Trigger SMS on admin password reset * Update flash message for 2FA * Update Admin Login header * Rubocop * 422 * Revert unused view 3 years ago			`end`

lint fixes 3 years ago			`def after_sending_reset_password_instructions_path_for(_resource)`
Remove active admin (#611) * Remove stuff * Remove ActiveAdmin from Gem file * Remove routes and table * Rubocop * Remove active admin from webpack config * Remove JQuery from webpack * Remove remaining spec references * Remove js packages * Schema 2 years ago			`account_password_reset_confirmation_path(email: params.dig("user", "email"))`
Fix sending reset email for admins (#313) * Fix sending reset email for admins * Reset does not let you bypass 2FA * Trigger SMS on admin password reset * Update flash message for 2FA * Update Admin Login header * Rubocop * 422 * Revert unused view 3 years ago			`end`

			`def after_resetting_password_path_for(resource)`
			`if Devise.sign_in_after_reset_password`
CLDC-1100: Add a Customer Support user role (#454) * A support role exists that can see all case logs * Support role requires 2FA * Support user sees 2FA code screen on login * Use email for OTP code * Ensure resend paths work * Support user can see additional organisation columns on logs page * Simpler test * Remove spec description spaces 3 years ago			`if resource.need_two_factor_authentication?(request)`
Fix sending reset email for admins (#313) * Fix sending reset email for admins * Reset does not let you bypass 2FA * Trigger SMS on admin password reset * Update flash message for 2FA * Update Admin Login header * Rubocop * 422 * Revert unused view 3 years ago			`resource.send_new_otp`
CLDC-1100: Add a Customer Support user role (#454) * A support role exists that can see all case logs * Support role requires 2FA * Support user sees 2FA code screen on login * Use email for OTP code * Ensure resend paths work * Support user can see additional organisation columns on logs page * Simpler test * Remove spec description spaces 3 years ago			`send("#{resource_name}_two_factor_authentication_path")`
Fix sending reset email for admins (#313) * Fix sending reset email for admins * Reset does not let you bypass 2FA * Trigger SMS on admin password reset * Update flash message for 2FA * Update Admin Login header * Rubocop * 422 * Revert unused view 3 years ago			`else`
			`after_sign_in_path_for(resource)`
			`end`
			`else`
			`new_session_path(resource_name)`
			`end`
lint fixes 3 years ago			`end`
			`end`