fixed login/logout, added password reset, fixed emails etc.

models/sorcery_mailer.rb

@@ -4,7 +4,7 @@ class SorceryMailer < ActionMailer::Base
 
   def activation_needed_email(user)
     @user = user
-    @url  = "http://0.0.0.0:4567/users/#{user.activation_code}/activate"
+    @url  = "http://0.0.0.0:4567/users/#{user.activation_token}/activate"
     mail(:to => user.email,
          :subject => "Welcome to My Awesome Site")
   end
@@ -18,8 +18,8 @@ def activation_success_email(user)
 
   def reset_password_email(user)
     @user = user
-    @url  = "http://example.com/login"
+    @url  = "http://0.0.0.0:4567/password_resets/#{user.reset_password_token}/edit"
     mail(:to => user.email,
-         :subject => "Your password has been reset")
+         :subject => "Reset password request")
   end
 end

myapp.rb

@@ -3,13 +3,14 @@
 
 require 'sqlite3'
 require 'active_record'
-
+require 'logger'
 # establish connection
 ActiveRecord::Base.establish_connection(
   :adapter  => "sqlite3",
   :database => "dummy",
   :verbosity => "quiet"
 )
+ActiveRecord::Base.logger = Logger.new(STDOUT)
 
 # mailer
 require 'action_mailer'
@@ -71,6 +72,13 @@
   session[:alert] = nil
 end
 
+# helpers
+helpers do
+  def current_users_list
+    current_users.map {|u| u.email}.join(", ")
+  end
+end
+
 # actions
 get '/' do
   @users = User.all
@@ -112,7 +120,7 @@
 get '/logout' do
   logout
   session[:notice] = "Logged out!"
-  erb :'users/index'
+  redirect '/'
 end
 
 post '/login' do
@@ -125,16 +133,47 @@
   redirect '/'
 end
 
+# password reset
+post '/password_resets' do
+  @user = User.find_by_email(params[:email])
+
+  # This line sends an email to the user with instructions on how to reset their password (a url with a random token)
+  @user.deliver_reset_password_instructions! if @user
+
+  # Tell the user instructions have been sent whether or not email was found.
+  # This is to not leak information to attackers about which emails exist in the system.
+  session[:notice] = 'Instructions have been sent to your email.'
+  redirect '/'
+end
+
+get '/password_resets/:token/edit' do
+  @user = User.load_from_reset_password_token(params[:token])
+  @token = params[:token]
+  not_authenticated if !@user
+end
 
+put '/password_resets' do
+  @user = User.load_from_reset_password_token(params[:token])
+  not_authenticated if !@user
+  # the next line clears the temporary token and updates the password
+  if @user.reset_password!(params[:user])
+    session[:notice] = 'Password was successfully updated.'
+    redirect '/'
+  else
+    erb :'password_resets/edit'
+  end
+end
 
 def not_authenticated
   halt "You must login to see this page!"
 end
 
+# HTTP Basic Auth
 get '/login_with_http_basic_auth' do
   erb "HTTP Basic Auth"
 end
 
+# OAuth
 get '/auth_at_provider' do
   auth_at_provider(params[:provider])
 end

views/layout.erb

@@ -20,6 +20,10 @@
 	<% if current_user %>
 		<div id="current_users"> Currently active users: <%= current_users_list %></div>
 	<% end %>
+	<div>
+		<p id="notice"><%= @notice %></p>
+		<p id="alert"><%= @alert %></p>
+	</div>
 <%= yield %>
 
 </body>

views/password_resets/edit.erb

@@ -2,4 +2,4 @@
 
 <%= erb :'password_resets/_form' %>
 
-<%= link_to 'Back', users_path %>
+<a href="/">Back</a>

views/user_sessions/new.erb

@@ -1,6 +1,4 @@
 <h1>Login</h1>
-<p id="notice"></p>
-<p id="alert"></p>
 <%= erb :'user_sessions/_form' %>
 
 <h1>Forgot Password?</h1>

views/users/index.erb

@@ -1,6 +1,4 @@
 <h1>Listing users</h1>
-<p id="notice"><%= @notice %></p>
-<p id="alert"><%= @alert %></p>
 <table>
   <tr>
     <th>User</th>

views/users/new.erb

@@ -2,4 +2,4 @@
 
 <%= erb :'users/_form' %>
 
-<a href=<%= url('/') %>>Back</a>
+<a href="/">Back</a>