GRN2-233: Made account activation & password reset links based on tokens only (#959)

* GRN2-233: Hiding email in verification link and password reset link * updating tests * removing uid from email verificaiton link * GRN2-233: modifying test cases * GRN2-233: Removing uid from password reset link * GRN2-233: Removed email_params and fixed "authenticated?" method * GRN2-233: Fixed error when trying to sign in unverified * GRN2-233: Changed how activation tokens are generated
2020-02-24 13:05:09 -05:00
parent b7aa5406ea
commit 03266730e8
10 changed files with 42 additions and 46 deletions
--- a/app/controllers/account_activations_controller.rb
+++ b/app/controllers/account_activations_controller.rb
@ -51,6 +51,7 @@ class AccountActivationsController < ApplicationController
      flash[:alert] = I18n.t("verify.already_verified")
    else
      # Resend
+      @user.create_activation_token
      send_activation_email(@user)
    end

@ -60,14 +61,10 @@ class AccountActivationsController < ApplicationController
  private

  def find_user
-    @user = User.find_by!(email: params[:email], provider: @user_domain)
+    @user = User.find_by!(activation_digest: User.digest(params[:token]), provider: @user_domain)
  end

  def ensure_unauthenticated
    redirect_to current_user.main_room if current_user
  end
-
-  def email_params
-    params.require(:email).permit(:email, :token)
-  end
 end
--- a/app/controllers/concerns/emailer.rb
+++ b/app/controllers/concerns/emailer.rb
@ -125,7 +125,7 @@ module Emailer

  # Returns the link the user needs to click to verify their account
  def user_verification_link(user)
-    edit_account_activation_url(token: user.activation_token, email: user.email)
+    edit_account_activation_url(token: user.activation_token)
  end

  def admin_emails
@ -140,7 +140,7 @@ module Emailer
  end

  def reset_link(user)
-    edit_password_reset_url(user.reset_token, email: user.email)
+    edit_password_reset_url(user.reset_token)
  end

  def invitation_link(token)
--- a/app/controllers/password_resets_controller.rb
+++ b/app/controllers/password_resets_controller.rb
@ -68,7 +68,7 @@ class PasswordResetsController < ApplicationController
  private

  def find_user
-    @user = User.find_by(email: params[:email], provider: @user_domain)
+    @user = User.find_by(reset_digest: User.digest(params[:id]), provider: @user_domain)
  end

  def user_params
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -88,7 +88,10 @@ class SessionsController < ApplicationController
      # Check that the user is a Greenlight account
      return redirect_to(root_path, alert: I18n.t("invalid_login_method")) unless user.greenlight_account?
      # Check that the user has verified their account
-      return redirect_to(account_activation_path(email: user.email)) unless user.activated?
+      unless user.activated?
+        user.create_activation_token
+        return redirect_to(account_activation_path(token: user.activation_token))
+      end
    end

    login(user)
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -58,6 +58,8 @@ class UsersController < ApplicationController
    # Sign in automatically if email verification is disabled or if user is already verified.
    login(@user) && return if !Rails.configuration.enable_email_verification || @user.email_verified

+    @user.create_activation_token
+
    send_activation_email(@user)

    redirect_to root_path
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -21,7 +21,7 @@ require 'bbb_api'
 class User < ApplicationRecord
  include Deleteable

-  attr_accessor :reset_token
+  attr_accessor :reset_token, :activation_token
  after_create :setup_user

  before_save { email.try(:downcase!) }
@ -122,7 +122,7 @@ class User < ApplicationRecord
  def authenticated?(attribute, token)
    digest = send("#{attribute}_digest")
    return false if digest.nil?
-    BCrypt::Password.new(digest).is_password?(token)
+    digest == Digest::SHA256.base64digest(token)
  end

  # Return true if password reset link expires
@ -153,9 +153,9 @@ class User < ApplicationRecord
    social_uid.nil?
  end

-  def activation_token
-    # Create the token.
-    create_reset_activation_digest(User.new_token)
+  def create_activation_token
+    self.activation_token = User.new_token
+    update_attributes(activation_digest: User.digest(activation_token))
  end

  def admin_of?(user)
@ -172,8 +172,7 @@ class User < ApplicationRecord
  end

  def self.digest(string)
-    cost = ActiveModel::SecurePassword.min_cost ? BCrypt::Engine::MIN_COST : BCrypt::Engine.cost
-    BCrypt::Password.create(string, cost: cost)
+    Digest::SHA256.base64digest(string)
  end

  # Returns a random token.
@ -250,12 +249,6 @@ class User < ApplicationRecord

  private

-  def create_reset_activation_digest(token)
-    # Create the digest and persist it.
-    update_attribute(:activation_digest, User.digest(token))
-    token
-  end
-
  # Destory a users rooms when they are removed.
  def destroy_rooms
    rooms.destroy_all
--- a/app/views/account_activations/show.html.erb
+++ b/app/views/account_activations/show.html.erb
@ -22,7 +22,7 @@
      <div class="card-body">
        <p><%= t("verify.not_verified") %></p>
        <div class="btn-list text-right pt-8">
-          <%= button_to t("verify.resend"), resend_email_path, params: { email: params['email'], email_verified: false }, class: "btn btn-primary btn-space", "data-disable": "" %>
+          <%= button_to t("verify.resend"), resend_email_path, params: { token: params['token'], email_verified: false }, class: "btn btn-primary btn-space", "data-disable": "" %>
        </div>
      </div>
    </div>