Reset password_expires_at after a successful password reset by the user

This change resets password_expires_at after a successful password reset by the user via the “forgot password” mechanism

Reset password_expires_at after a successful password reset by the user
This change resets password_expires_at after a successful password reset by the user via the “forgot password” mechanism
f26a227c · Manoj M J · Markus Koller · e17bff08 · f26a227c · f26a227c
Commit f26a227c authored Sep 01, 2020 by Manoj M J Committed by Markus Koller Sep 01, 2020
3 changed files
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -31,8 +31,10 @@ class PasswordsController < Devise::PasswordsController

  def update
    super do |resource|
-      if resource.valid? && resource.password_automatically_set?
-        resource.update_attribute(:password_automatically_set, false)
+      if resource.valid?
+        resource.password_automatically_set = false
+        resource.password_expires_at = nil
+        resource.save(validate: false) if resource.changed?
      end
    end
  end

--- a/changelogs/unreleased/241818-simplify-password-reset-flow-for-a-user-whose-password-has-been-ch.yml
+++ b/changelogs/unreleased/241818-simplify-password-reset-flow-for-a-user-whose-password-has-been-ch.yml
+---
+title: Remove the expiry on user passwords after a user resets their password
+merge_request: 40712
+author:
+type: fixed
--- a/spec/controllers/passwords_controller_spec.rb
+++ b/spec/controllers/passwords_controller_spec.rb
@@ -3,11 +3,13 @@
 require 'spec_helper'

 RSpec.describe PasswordsController do
-  describe '#check_password_authentication_available' do
-    before do
-      @request.env["devise.mapping"] = Devise.mappings[:user]
-    end
+  include DeviseHelpers

+  before do
+    set_devise_mapping(context: @request)
+  end
+
+  describe '#check_password_authentication_available' do
    context 'when password authentication is disabled for the web interface and Git' do
      it 'prevents a password reset' do
        stub_application_setting(password_authentication_enabled_for_web: false)
@@ -30,4 +32,51 @@ RSpec.describe PasswordsController do
      end
    end
  end
+
+  describe '#update' do
+    render_views
+
+    context 'updating the password' do
+      subject do
+        put :update, params: {
+          user: {
+            password: password,
+            password_confirmation: password_confirmation,
+            reset_password_token: reset_password_token
+          }
+        }
+      end
+
+      let(:password) { User.random_password }
+      let(:password_confirmation) { password }
+      let(:reset_password_token) { user.send_reset_password_instructions }
+      let(:user) { create(:user, password_automatically_set: true, password_expires_at: 10.minutes.ago) }
+
+      context 'password update is successful' do
+        it 'updates the password-related flags' do
+          subject
+          user.reload
+
+          expect(response).to redirect_to(new_user_session_path)
+          expect(flash[:notice]).to include('password has been changed successfully')
+          expect(user.password_automatically_set).to eq(false)
+          expect(user.password_expires_at).to be_nil
+        end
+      end
+
+      context 'password update is unsuccessful' do
+        let(:password_confirmation) { 'not_the_same_as_password' }
+
+        it 'does not update the password-related flags' do
+          subject
+          user.reload
+
+          expect(response).to render_template(:edit)
+          expect(response.body).to have_content("Password confirmation doesn't match Password")
+          expect(user.password_automatically_set).to eq(true)
+          expect(user.password_expires_at).not_to be_nil
+        end
+      end
+    end
+  end
 end