Prevent password reset token leak via HTTP referer
This commit is contained in:
parent
88724e10ad
commit
ab79083696
|
@ -24,7 +24,13 @@ class Devise::PasswordsController < DeviseController
|
|||
def edit
|
||||
self.resource = resource_class.new
|
||||
set_minimum_password_length
|
||||
resource.reset_password_token = params[:reset_password_token]
|
||||
|
||||
if params[:reset_password_token]
|
||||
session[:reset_password_token] = params[:reset_password_token]
|
||||
redirect_to edit_user_password_url
|
||||
end
|
||||
|
||||
resource.reset_password_token = session[:reset_password_token]
|
||||
end
|
||||
|
||||
# PUT /resource/password
|
||||
|
@ -41,6 +47,7 @@ class Devise::PasswordsController < DeviseController
|
|||
else
|
||||
set_flash_message!(:notice, :updated_not_active)
|
||||
end
|
||||
session[:reset_password_token] = nil
|
||||
respond_with resource, location: after_resetting_password_path_for(resource)
|
||||
else
|
||||
set_minimum_password_length
|
||||
|
@ -60,7 +67,9 @@ class Devise::PasswordsController < DeviseController
|
|||
|
||||
# Check if a reset_password_token is provided in the request
|
||||
def assert_reset_token_passed
|
||||
if params[:reset_password_token].blank?
|
||||
reset_token = session[:reset_password_token] || params[:reset_password_token]
|
||||
|
||||
if reset_token.blank?
|
||||
set_flash_message(:alert, :no_token)
|
||||
redirect_to new_session_path(resource_name)
|
||||
end
|
||||
|
|
|
@ -22,7 +22,7 @@ class PasswordTest < Devise::IntegrationTest
|
|||
def reset_password(options={}, &block)
|
||||
unless options[:visit] == false
|
||||
visit edit_user_password_path(reset_password_token: options[:reset_password_token] || "abcdef")
|
||||
assert_response :success
|
||||
assert_current_url '/users/password/edit'
|
||||
end
|
||||
|
||||
fill_in 'New password', with: '987654321'
|
||||
|
|
Loading…
Reference in New Issue