From 9db4ccb4743e8a7485b2899d3aaa1da7d9ff56eb Mon Sep 17 00:00:00 2001
From: Samuel Young <samuel.young@softwire.com>
Date: Tue, 7 Oct 2025 09:44:09 +0100
Subject: [PATCH] CLDC-4033: Improve flow for unconfirmed users (#3089)

* send confirmation if user is unconfirmed on password reset

* update copy on password reset page if user is unconfirmed

* fixup! update copy on password reset page if user is unconfirmed

also check if they've been sent a confirmation email

otherwise, this text shows if the user doesn't exist

* CLDC-4033 Fix name of variable

* CLDC-4033: Correct name of resource variable

this override function is passed a resource symbol, not a resource object

---------

Co-authored-by: David May-Miller <David.May-Miller@softwire.com>
---
 app/controllers/auth/passwords_controller.rb              | 5 +++--
 app/models/user.rb                                        | 8 ++++++++
 .../devise/passwords/reset_resend_confirmation.html.erb   | 6 +++++-
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/app/controllers/auth/passwords_controller.rb b/app/controllers/auth/passwords_controller.rb
index 9a281df16..e4a21675b 100644
--- a/app/controllers/auth/passwords_controller.rb
+++ b/app/controllers/auth/passwords_controller.rb
@@ -4,6 +4,7 @@ class Auth::PasswordsController < Devise::PasswordsController
   def reset_confirmation
     self.resource = resource_class.new
     @email = params["email"]
+    @unconfirmed = params["unconfirmed"] == "true"
     if @email.blank?
       resource.errors.add :email, I18n.t("validations.email.blank")
       render "devise/passwords/new", status: :unprocessable_entity
@@ -65,8 +66,8 @@ protected
     resource.need_two_factor_authentication?(request) ? :updated_2FA : :updated
   end
 
-  def after_sending_reset_password_instructions_path_for(_resource)
-    account_password_reset_confirmation_path(email: params.dig("user", "email"))
+  def after_sending_reset_password_instructions_path_for(_resource_name)
+    account_password_reset_confirmation_path(email: params.dig("user", "email"), unconfirmed: resource.initial_confirmation_sent && !resource.confirmed?)
   end
 
   def after_resetting_password_path_for(resource)
diff --git a/app/models/user.rb b/app/models/user.rb
index b504db9bc..23dbc196b 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -358,6 +358,14 @@ class User < ApplicationRecord
     end
   end
 
+  def send_reset_password_instructions
+    if confirmed?
+      super
+    else
+      send_confirmation_instructions
+    end
+  end
+
 protected
 
   # Checks whether a password is needed or not. For validations only.
diff --git a/app/views/devise/passwords/reset_resend_confirmation.html.erb b/app/views/devise/passwords/reset_resend_confirmation.html.erb
index b89717844..106f4d87e 100644
--- a/app/views/devise/passwords/reset_resend_confirmation.html.erb
+++ b/app/views/devise/passwords/reset_resend_confirmation.html.erb
@@ -6,7 +6,11 @@
       <%= content_for(:title) %>
     </h1>
 
-    <p class="govuk-body">We’ve sent a link to reset your password to <strong><%= @email %></strong>.</p>
+    <% if @unconfirmed %>
+      <p class="govuk-body">We’ve sent a link to confirm your email address to <strong><%= @email %></strong>. This will complete your registration onto the CORE service.</p>
+    <% else %>
+      <p class="govuk-body">We’ve sent a link to reset your password to <strong><%= @email %></strong>.</p>
+    <% end %>
     <p class="govuk-body">You’ll only receive this link if your email address already exists in our system.</p>
     <p class="govuk-body">If you don’t receive the email within 5 minutes, check your spam or junk folders. Try again if you still haven’t received the email.</p>
   </div>