-
-
Notifications
You must be signed in to change notification settings - Fork 454
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add expiring, databaseless password reset tokens (alternative solution) #823
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
<%= t(".opening") %> | ||
|
||
<%= edit_user_password_url(@user, token: @user.confirmation_token.html_safe) %> | ||
<%= edit_user_password_url(@user, token: @token) %> | ||
|
||
<%= raw t(".closing") %> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,5 @@ | ||
require 'clearance/tokenizer' | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Style/StringLiterals: Prefer double-quoted strings unless you need single quotes to avoid extra backslashes for escaping. |
||
|
||
module Clearance | ||
class Configuration | ||
# Controls whether the sign up route is enabled. | ||
|
@@ -47,6 +49,16 @@ class Configuration | |
# @return [String] | ||
attr_accessor :mailer_sender | ||
|
||
# Used to generate and verify secure encrypted tokens | ||
# Defaults to `Clearance::Tokenizer` | ||
# @return [#new #generate #valid?] | ||
attr_accessor :tokenizer | ||
|
||
# Determines how long password reset emails are valid for | ||
# Defaults to 15 minutes | ||
# @return [Integer] | ||
attr_accessor :password_reset_time_limit | ||
|
||
# The password strategy to use when authenticating and setting passwords. | ||
# Defaults to {Clearance::PasswordStrategies::BCrypt}. | ||
# @return [Module #authenticated? #password=] | ||
|
@@ -104,6 +116,8 @@ def initialize | |
@cookie_path = '/' | ||
@httponly = true | ||
@mailer_sender = 'reply@example.com' | ||
@tokenizer = Clearance::Tokenizer | ||
@password_reset_time_limit = 15.minutes | ||
@redirect_url = '/' | ||
@rotate_csrf_on_sign_in = nil | ||
@routes = true | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
module Clearance | ||
class PasswordResetToken | ||
def self.generate_for(user) | ||
new(user).generate | ||
end | ||
|
||
def self.find_user(user_id, token) | ||
user = Clearance.configuration.user_model.find_by(id: user_id) | ||
user if user && new(user).valid?(token) | ||
end | ||
|
||
def initialize(user) | ||
@user = user | ||
@tokenizer = Clearance.configuration.tokenizer.new(user) | ||
end | ||
|
||
def generate | ||
tokenizer.generate(user.id, expires_in: expires_in) | ||
end | ||
|
||
def valid?(token) | ||
tokenizer.valid?(token) | ||
end | ||
|
||
def to_s | ||
generate | ||
end | ||
|
||
private | ||
|
||
attr_reader :user, :tokenizer | ||
|
||
def expires_in | ||
Clearance.configuration.password_reset_time_limit | ||
end | ||
end | ||
end |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
module Clearance | ||
# Generate secure token used for password reset tokens. | ||
class Tokenizer | ||
# Initialize new tokenizer which will be able to generate | ||
# and verify token validity for any given user | ||
def initialize(user) | ||
# key must be 32 bytes, see: https://github.com/rails/rails/pull/25192 | ||
key_generator = Rails.application.key_generator | ||
key = key_generator.generate_key(user.encrypted_password, 32) | ||
@encryptor = ActiveSupport::MessageEncryptor.new(key) | ||
end | ||
|
||
# Generate secure encrypted token valid for the user | ||
# @return [String] | ||
def generate(payload, expires_in: nil) | ||
encryptor.encrypt_and_sign([payload, expires_in&.from_now]) | ||
end | ||
|
||
# Verify that token are valid for the given user | ||
# @return [Boo] | ||
def valid?(token) | ||
_, expires_at = decrypt(token) | ||
|
||
(expires_at || 1.hour.from_now).future? | ||
end | ||
|
||
private | ||
|
||
attr_reader :encryptor | ||
|
||
def decrypt(token) | ||
begin | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Style/RedundantBegin: Redundant begin block detected. |
||
encryptor.decrypt_and_verify(token) | ||
rescue ActiveSupport::MessageVerifier::InvalidSignature | ||
[nil, 1.hour.ago] | ||
end | ||
end | ||
end | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Naming/MemoizedInstanceVariableName: Memoized variable @user does not match method name find_user_by_password_reset_token. Use @find_user_by_password_reset_token instead.