Skip to content

Allow overriding the source of the password_reset_token #5297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
artfuldodger wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Allow overriding the source of the password_reset_token #5297

artfuldodger wants to merge 1 commit into from

Conversation

@artfuldodger
Copy link

@artfuldodger artfuldodger commented Sep 29, 2020

Changes no behavior by default, but this allows for pulling the token
out of the session for example.

The motivation behind this is to stop leaking the token to third parties
when tracking JavaScript is present on the page (e.g. Google Analytics).

We're overriding edit to set the token in the session and then redirect,
taking it out of the URL, and this change would enable us to be slightly
less coupled to Devise's internals.

@artfuldodger
Allow overriding the source of the password_reset_token
cade1bf 
Changes no behavior by default, but this allows for pulling the token
out of the session for example.

The motivation behind this is to stop leaking the token to third parties
when tracking JavaScript is present on the page (e.g. Google Analytics).

We're overriding `edit` to set the token in the session and then redirect,
and this change would enable us to be slightly less coupled to Devise's
internals.
@crespire
Copy link

crespire commented Mar 15, 2025

+1 on this, I had to do this today, and was one of the strategies I saw in https://thoughtbot.com/blog/is-your-site-leaking-password-reset-links

@ghost
Copy link

ghost commented May 1, 2025

what is the point of setting a password if someone without the password can overide a password?

ghost
ghost suggested changes May 1, 2025
View reviewed changes
Copy link

@ghost ghost left a comment
edited by ghost
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A password is meant to secure something, allowing an override defeats the purpose. @github/support What do you think about these updates?

@artfuldodger
Copy link
Author

artfuldodger commented May 1, 2025

@Polaris253 hi! So you know when you forget your password, and you submit a request to reset your password? It sends you an email containing a link with a password reset token in the url. This PR just makes it easy to override where that token is pulled from, as urls are often logged to places you may not want your tokens stored.

@gregmolnar
Copy link
Contributor

gregmolnar commented Aug 14, 2025

These tokens should be short lived and terminated after use anyways, so there isn't much of a risk of them ending up in the logs(you can also filter the param from logging).
I might misunderstand something, but if you have the token in the session and the link in the email doesn't contain it, then it defeats the purpose of it, doesn't it? And a user can just ask for a password reset, then without having access to the email, they can just go to the edit page and the token would be verified from the session, wouldn't it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@artfuldodger @crespire @gregmolnar