GRN2-xx: Restructured email verification and password reset (#1444)

* Restructured email verification and password reset * Fixed issue with password reset Co-authored-by: Jesus Federico <jesus@123it.ca>
2020-04-29 17:56:46 -04:00
parent 8f3ba8a038
commit 28302107bd
10 changed files with 46 additions and 81 deletions
--- a/app/controllers/account_activations_controller.rb
+++ b/app/controllers/account_activations_controller.rb
@ -29,7 +29,7 @@ class AccountActivationsController < ApplicationController
  # GET /account_activations/edit
  def edit
    # If the user exists and is not verified and provided the correct token
-    if @user && !@user.activated? && @user.authenticated?(:activation, params[:token])
+    if @user && !@user.activated?
      # Verify user
      @user.activate

@ -51,8 +51,7 @@ class AccountActivationsController < ApplicationController
      flash[:alert] = I18n.t("verify.already_verified")
    else
      # Resend
-      @user.create_activation_token
-      send_activation_email(@user)
+      send_activation_email(@user, @user.create_activation_token)
    end

    redirect_to root_path
@ -61,7 +60,7 @@ class AccountActivationsController < ApplicationController
  private

  def find_user
-    @user = User.find_by!(activation_digest: User.digest(params[:token]), provider: @user_domain)
+    @user = User.find_by!(activation_digest: User.hash_token(params[:token]), provider: @user_domain)
  end

  def ensure_unauthenticated
--- a/app/controllers/admins_controller.rb
+++ b/app/controllers/admins_controller.rb
@ -133,9 +133,7 @@ class AdminsController < ApplicationController

  # GET /admins/reset
  def reset
-    @user.create_reset_digest
-
-    send_password_reset_email(@user)
+    send_password_reset_email(@user, @user.create_reset_digest)

    if session[:prev_url].present?
      redirect_path = session[:prev_url]
--- a/app/controllers/concerns/emailer.rb
+++ b/app/controllers/concerns/emailer.rb
@ -20,11 +20,11 @@ module Emailer
  extend ActiveSupport::Concern

  # Sends account activation email.
-  def send_activation_email(user)
+  def send_activation_email(user, token)
    begin
      return unless Rails.configuration.enable_email_verification

-      UserMailer.verify_email(user, user_verification_link(user), @settings).deliver
+      UserMailer.verify_email(user, user_verification_link(token), @settings).deliver
    rescue => e
      logger.error "Support: Error in email delivery: #{e}"
      flash[:alert] = I18n.t(params[:message], default: I18n.t("delivery_error"))
@ -34,11 +34,11 @@ module Emailer
  end

  # Sends password reset email.
-  def send_password_reset_email(user)
+  def send_password_reset_email(user, token)
    begin
      return unless Rails.configuration.enable_email_verification

-      UserMailer.password_reset(user, reset_link(user), @settings).deliver_now
+      UserMailer.password_reset(user, reset_link(token), @settings).deliver_now
    rescue => e
      logger.error "Support: Error in email delivery: #{e}"
      flash[:alert] = I18n.t(params[:message], default: I18n.t("delivery_error"))
@ -124,8 +124,8 @@ module Emailer
  private

  # Returns the link the user needs to click to verify their account
-  def user_verification_link(user)
-    edit_account_activation_url(token: user.activation_token)
+  def user_verification_link(token)
+    edit_account_activation_url(token: token)
  end

  def admin_emails
@ -139,8 +139,8 @@ module Emailer
    admins.collect(&:email).join(",")
  end

-  def reset_link(user)
-    edit_password_reset_url(user.reset_token)
+  def reset_link(token)
+    edit_password_reset_url(token)
  end

  def invitation_link(token)
--- a/app/controllers/password_resets_controller.rb
+++ b/app/controllers/password_resets_controller.rb
@ -21,7 +21,6 @@ class PasswordResetsController < ApplicationController

  before_action :disable_password_reset, unless: -> { Rails.configuration.enable_email_verification }
  before_action :find_user, only: [:edit, :update]
-  before_action :valid_user, only: [:edit, :update]
  before_action :check_expiration, only: [:edit, :update]

  # POST /password_resets/new
@ -34,8 +33,7 @@ class PasswordResetsController < ApplicationController
      # Check if user exists and throw an error if he doesn't
      @user = User.find_by!(email: params[:password_reset][:email].downcase, provider: @user_domain)

-      @user.create_reset_digest
-      send_password_reset_email(@user)
+      send_password_reset_email(@user, @user.create_reset_digest)
      redirect_to root_path
    rescue
      # User doesn't exist
@ -68,7 +66,7 @@ class PasswordResetsController < ApplicationController
  private

  def find_user
-    @user = User.find_by(reset_digest: User.digest(params[:id]), provider: @user_domain)
+    @user = User.find_by(reset_digest: User.hash_token(params[:id]), provider: @user_domain)
  end

  def user_params
@ -80,14 +78,6 @@ class PasswordResetsController < ApplicationController
    redirect_to new_password_reset_url, alert: I18n.t("expired_reset_token") if @user.password_reset_expired?
  end

-  # Confirms a valid user.
-  def valid_user
-    unless @user.authenticated?(:reset, params[:id])
-      @user&.activate unless @user&.activated?
-      redirect_to root_url
-    end
-  end
-
  # Redirects to 404 if emails are not enabled
  def disable_password_reset
    redirect_to '/404'
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -88,10 +88,7 @@ class SessionsController < ApplicationController
      # Check that the user is a Greenlight account
      return redirect_to(root_path, alert: I18n.t("invalid_login_method")) unless user.greenlight_account?
      # Check that the user has verified their account
-      unless user.activated?
-        user.create_activation_token
-        return redirect_to(account_activation_path(token: user.activation_token))
-      end
+      return redirect_to(account_activation_path(token: user.create_activation_token)) unless user.activated?
    end

    login(user)
@ -247,8 +244,7 @@ class SessionsController < ApplicationController
    logger.info "Switching social account to local account for #{user.uid}"

    # Send the user a reset password email
-    user.create_reset_digest
-    send_password_reset_email(user)
+    send_password_reset_email(user, user.create_reset_digest)

    # Overwrite the flash with a more descriptive message if successful
    flash[:success] = I18n.t("reset_password.auth_change") if flash[:success].present?
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -58,9 +58,7 @@ class UsersController < ApplicationController
    # Sign in automatically if email verification is disabled or if user is already verified.
    login(@user) && return if !Rails.configuration.enable_email_verification || @user.email_verified

-    @user.create_activation_token
-
-    send_activation_email(@user)
+    send_activation_email(@user, @user.create_activation_token)

    redirect_to root_path
  end