Commit 2cb7a778 authored by Douwe Maan's avatar Douwe Maan

Merge branch 'rs-disable-signin-after-reset' into 'master'

Take advantage of `Devise.sign_in_after_reset_password`

Since we've updated our Devise dependency, we can take
advantage of this new-ish configuration setting and avoid
our hackish workaround.

See merge request !1475
parents 2714d5b8 3a4274e1
...@@ -16,27 +16,6 @@ class PasswordsController < Devise::PasswordsController ...@@ -16,27 +16,6 @@ class PasswordsController < Devise::PasswordsController
end end
end end
# After a user resets their password, prompt for 2FA code if enabled instead
# of signing in automatically
#
# See http://git.io/vURrI
def update
super do |resource|
# TODO (rspeicher): In Devise master (> 3.4.1), we can set
# `Devise.sign_in_after_reset_password = false` and avoid this mess.
if resource.errors.empty? && resource.try(:two_factor_enabled?)
resource.unlock_access! if unlockable?(resource)
# Since we are not signing this user in, we use the :updated_not_active
# message which only contains "Your password was changed successfully."
set_flash_message(:notice, :updated_not_active) if is_flashing_format?
# Redirect to sign in so they can enter 2FA code
respond_with(resource, location: new_session_path(resource)) and return
end
end
end
def edit def edit
super super
reset_password_token = Devise.token_generator.digest( reset_password_token = Devise.token_generator.digest(
......
...@@ -148,6 +148,10 @@ Devise.setup do |config| ...@@ -148,6 +148,10 @@ Devise.setup do |config|
# When someone else invites you to GitLab this time is also used so it should be pretty long. # When someone else invites you to GitLab this time is also used so it should be pretty long.
config.reset_password_within = 2.days config.reset_password_within = 2.days
# When set to false, does not sign a user in automatically after their password is
# reset. Defaults to true, so a user is signed in automatically after a reset.
config.sign_in_after_reset_password = false
# ==> Configuration for :encryptable # ==> Configuration for :encryptable
# Allow you to use another encryption algorithm besides bcrypt (default). You can use # Allow you to use another encryption algorithm besides bcrypt (default). You can use
# :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1, # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,
......
require 'spec_helper' require 'spec_helper'
feature 'Password reset', feature: true do feature 'Password reset', feature: true do
def forgot_password
click_on 'Forgot your password?'
fill_in 'Email', with: user.email
click_button 'Reset password'
user.reload
end
def get_reset_token
mail = ActionMailer::Base.deliveries.last
body = mail.body.encoded
body.scan(/reset_password_token=(.+)\"/).flatten.first
end
def reset_password(password = 'password')
visit edit_user_password_path(reset_password_token: get_reset_token)
fill_in 'New password', with: password
fill_in 'Confirm new password', with: password
click_button 'Change your password'
end
describe 'with two-factor authentication' do describe 'with two-factor authentication' do
let(:user) { create(:user, :two_factor) } let(:user) { create(:user, :two_factor) }
...@@ -40,14 +19,35 @@ feature 'Password reset', feature: true do ...@@ -40,14 +19,35 @@ feature 'Password reset', feature: true do
describe 'without two-factor authentication' do describe 'without two-factor authentication' do
let(:user) { create(:user) } let(:user) { create(:user) }
it 'automatically logs in after password reset' do it 'requires login after password reset' do
visit root_path visit root_path
forgot_password forgot_password
reset_password reset_password
expect(current_path).to eq root_path expect(page).to have_content("Your password was changed successfully.")
expect(page).to have_content("Your password was changed successfully. You are now signed in.") expect(current_path).to eq new_user_session_path
end end
end end
def forgot_password
click_on 'Forgot your password?'
fill_in 'Email', with: user.email
click_button 'Reset password'
user.reload
end
def get_reset_token
mail = ActionMailer::Base.deliveries.last
body = mail.body.encoded
body.scan(/reset_password_token=(.+)\"/).flatten.first
end
def reset_password(password = 'password')
visit edit_user_password_path(reset_password_token: get_reset_token)
fill_in 'New password', with: password
fill_in 'Confirm new password', with: password
click_button 'Change your password'
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment