FIX: respond with proper error message if user not found

app/controllers/users_controller.rb

@@ -545,12 +545,22 @@ def password_reset
             }
           end
         else
-          render json: {
-            is_developer: UsernameCheckerService.is_developer?(@user&.email),
-            admin: @user&.admin?,
-            second_factor_required: !valid_second_factor,
-            backup_enabled: @user&.backup_codes_enabled?
-          }
+          if @error || @user&.errors&.any?
+            render json: {
+              success: false,
+              message: @error,
+              errors: @user&.errors&.to_hash,
+              is_developer: UsernameCheckerService.is_developer?(@user&.email),
+              admin: @user&.admin?
+            }
+          else
+            render json: {
+              is_developer: UsernameCheckerService.is_developer?(@user.email),
+              admin: @user.admin?,
+              second_factor_required: !valid_second_factor,
+              backup_enabled: @user.backup_codes_enabled?
+            }
+          end
         end
       end
     end

spec/requests/users_controller_spec.rb

@@ -122,11 +122,9 @@
     end
 
     context 'missing token' do
-      before do
+      it 'disallows login' do
         get "/u/password-reset/#{token}"
-      end
 
-      it 'disallows login' do
         expect(response.status).to eq(200)
 
         expect(CGI.unescapeHTML(response.body))
@@ -138,6 +136,14 @@
 
         expect(session[:current_user_id]).to be_blank
       end
+
+      it "responds with proper error message" do
+        get "/u/password-reset/#{token}.json"
+
+        expect(response.status).to eq(200)
+        expect(JSON.parse(response.body)["message"]).to eq(I18n.t('password_reset.no_token'))
+        expect(session[:current_user_id]).to be_blank
+      end
     end
 
     context 'invalid token' do