Skip to content

Add a default password reset token to has_secure_password #52483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Aug 1, 2024
Merged

Add a default password reset token to has_secure_password #52483

merged 5 commits into from
Aug 1, 2024

Conversation

dhh
Copy link
Member

@dhh dhh commented Aug 1, 2024

Add a default configuration for a 15-minute password reset token when using has_secure_password:

class User < ApplicationRecord
  has_secure_password
end

user = User.create!(name: "david", password: "123", password_confirmation: "123")
token = user.password_reset_token
User.find_by_password_reset_token(token) # returns user

# 16 minutes later...
User.find_by_password_reset_token(token) # returns nil

# raises ActiveSupport::MessageVerifier::InvalidSignature since the token is expired
User.find_by_password_reset_token!(token)
@rails-bot rails-bot bot added the activemodel label Aug 1, 2024
@dhh dhh mentioned this pull request Aug 1, 2024
Merged
1 task
@dhh
Copy link
Member Author

dhh commented Aug 1, 2024

Unrelated failures.
@dhh dhh merged commit e143d25 into main Aug 1, 2024
3 of 5 checks passed
@dhh dhh deleted the has-secure-password-reset-token branch August 1, 2024 22:47
excid3
excid3 reviewed Aug 2, 2024
View reviewed changes
activemodel/lib/active_model/secure_password.rb
# Only generate tokens for records that are capable of doing so (Active Records, not vanilla Active Models)
if reset_token && respond_to?(:generates_token_for)
generates_token_for :"#{attribute}_reset", expires_in: 15.minutes do
public_send(:"#{attribute}_salt")&.last(10)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dhh does this mean we'll need password_digest and password_salt columns?
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

password_digest is already generated in the migration and salt is virtual.
@yahonda yahonda mentioned this pull request Aug 4, 2024
Merged
4 tasks
abeidahmed added a commit to abeidahmed/rails that referenced this pull request Sep 1, 2024
@abeidahmed
Custom has_secure_password token generator expiry
f34269c 
Extends rails#52483

Ability to change the default `expires_in` for `has_secure_password`
token generator.

```ruby
class User < ApplicationRecord
  has_secure_password reset_password_token_expires_in: 30.minutes
end
```
abeidahmed added a commit to abeidahmed/rails that referenced this pull request Sep 1, 2024
@abeidahmed
Custom has_secure_password token generator expiry
9232c59 
Extends rails#52483

Ability to change the default `expires_in` for `has_secure_password`
token generator.

```ruby
class User < ApplicationRecord
  has_secure_password reset_token_expires_in: 30.minutes
end
```
@abeidahmed abeidahmed mentioned this pull request Sep 1, 2024
Open
4 tasks
abeidahmed added a commit to abeidahmed/rails that referenced this pull request Sep 13, 2024
@abeidahmed
Custom has_secure_password token generator expiry
21f0d68 
Extends rails#52483

Ability to change the default `expires_in` for `has_secure_password`
token generator.

```ruby
class User < ApplicationRecord
  has_secure_password reset_token: { expires_in: 30.minutes }
end
```
abeidahmed added a commit to abeidahmed/rails that referenced this pull request Oct 1, 2024
@abeidahmed
Custom has_secure_password token generator expiry
a4d804f 
Extends rails#52483

Ability to change the default `expires_in` for `has_secure_password`
token generator.

```ruby
class User < ApplicationRecord
  has_secure_password reset_token: { expires_in: 30.minutes }
end
```
DanielaVelasquez pushed a commit to DanielaVelasquez/rails that referenced this pull request Oct 3, 2024
@dhh @DanielaVelasquez
Add a default password reset token to has_secure_password (rails#52483)
16caa54 
* Add a default password reset token to has_secure_password

* I hate this

* Assist debugging

* Add CHANGELOG entry
@sethherr sethherr mentioned this pull request Jan 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
activemodel
2 participants
@dhh @excid3