search

refinery / refinerycms-authentication-devise

Devise based authentication extension for Refinery CMS
MIT License
17 stars 61 forks source link

Reset password error on reset_password_token #25

Closed Dreamjer closed 7 years ago

Dreamjer commented 8 years ago

Hi,

After I got it wrong by typing my new password in the reset password view :

erreur change password be erreur change password be 1

and succeed the second time, the password is well updated but I've got an error on the "reset_password_token" at the same time !

erreur change password be 2

NB : I was able to log in with the new password.

I'm using :

bricesanchez commented 8 years ago

Hello @Dreamjer, i can confirm the bug. Thanks for the report!

bricesanchez commented 8 years ago

Feel free to send us a pull request in order to fix this bug :)

Dreamjer commented 8 years ago

Hello @bricesanchez,

The password controler edit action set the reset_password_token into the instance variable @reset_password_token to give it to the view only if there was the param[:reset_password_token] But the update action doesn't send it when if fails.

So I tried to return to the current devise edit action (devise 3.5.10) :

  # GET /resource/password/edit?reset_password_token=abcdef
  def edit
    self.resource = resource_class.new
    set_minimum_password_length
    resource.reset_password_token = params[:reset_password_token]
  end

in the edit view I updated the value param like this :

  <%#= f.hidden_field :reset_password_token, :value => @reset_password_token %>
  <%= f.hidden_field :reset_password_token %>

And it seems to fix the problem.

So I was wondering why this edit action was overriden ?

Maybe only for the redirect_to ? redirect_to refinery.new_authentication_devise_user_password_path, :flash => ({ :error => t('code_invalid', :scope => 'refinery.authentication.devise.users.reset') })

But the I18n translation seems to be not configured irb(main):055:0> I18n.t('code_invalid', :scope => 'refinery.authentication.devise.users.reset') => "translation missing: en.refinery.authentication.devise.users.reset.code_invalid"

And if I manualy call the edit action without token I'm well redirected to sign in view with the following message :

You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided.

So my question is : Maybe I missed something but what was the original purpose to override this edit action ?

Jerome

bricesanchez commented 8 years ago

@parndt will be the best to answer this question :)

parndt commented 8 years ago

I don't know why we overrode that; after looking at your examples it doesn't make much sense to me why we would

Dreamjer commented 8 years ago

Ok, so it fix it but now the resource email address has disapear from the view :

erreur change password be 3

This is maybe why you overrode it.

Do you want to fix it by keeping the email address in the view like this :

def edit
  self.resource=User.find_or_initialize_with_error_by_reset_password_token(params[:reset_password_token])
  set_minimum_password_length
  resource.reset_password_token = params[:reset_password_token]
end

Or just remove it from view and leave untouch the devise edit action ?

Dreamjer commented 8 years ago

Because I'm nice I found in line an other one ;-) If we get it wrong again then a "false" success flash message came from nowhere :

erreur change password be 4

I confirm the password wasn't updated.

bricesanchez commented 7 years ago

Fixed, thanks @Dreamjer :)