Prevent password reset token leak via HTTP referer

app/controllers/devise/passwords_controller.rb

@@ -24,7 +24,13 @@ class Devise::PasswordsController < DeviseController
   def edit
     self.resource = resource_class.new
     set_minimum_password_length
-    resource.reset_password_token = params[:reset_password_token]
+
+    if params[:reset_password_token]
+      session[:reset_password_token] = params[:reset_password_token]
+      redirect_to edit_user_password_url
+    end
+
+    resource.reset_password_token = session[:reset_password_token]
   end
 
   # PUT /resource/password
@@ -41,6 +47,7 @@ class Devise::PasswordsController < DeviseController
       else
         set_flash_message!(:notice, :updated_not_active)
       end
+      session[:reset_password_token] = nil
       respond_with resource, location: after_resetting_password_path_for(resource)
     else
       set_minimum_password_length
@@ -60,7 +67,9 @@ class Devise::PasswordsController < DeviseController
 
     # Check if a reset_password_token is provided in the request
     def assert_reset_token_passed
-      if params[:reset_password_token].blank?
+      reset_token = session[:reset_password_token] || params[:reset_password_token]
+
+      if reset_token.blank?
         set_flash_message(:alert, :no_token)
         redirect_to new_session_path(resource_name)
       end

test/integration/recoverable_test.rb

@@ -22,7 +22,7 @@ class PasswordTest < Devise::IntegrationTest
   def reset_password(options={}, &block)
     unless options[:visit] == false
       visit edit_user_password_path(reset_password_token: options[:reset_password_token] || "abcdef")
-      assert_response :success
+      assert_current_url '/users/password/edit'
     end
 
     fill_in 'New password', with: '987654321'