.circleci
.github
app
chewy
controllers
activitypub
admin
api
auth
challenges_controller.rb
confirmations_controller.rb
omniauth_callbacks_controller.rb
passwords_controller.rb
registrations_controller.rb
sessions_controller.rb
setup_controller.rb
concerns
oauth
settings
well_known
about_controller.rb
account_follow_controller.rb
account_unfollow_controller.rb
accounts_controller.rb
application_controller.rb
authorize_interactions_controller.rb
custom_css_controller.rb
directories_controller.rb
emojis_controller.rb
filters_controller.rb
follower_accounts_controller.rb
following_accounts_controller.rb
home_controller.rb
instance_actors_controller.rb
intents_controller.rb
invites_controller.rb
manifests_controller.rb
media_controller.rb
media_proxy_controller.rb
public_timelines_controller.rb
relationships_controller.rb
remote_follow_controller.rb
remote_interaction_controller.rb
shares_controller.rb
statuses_controller.rb
tags_controller.rb
helpers
javascript
lib
mailers
models
policies
presenters
serializers
services
validators
views
workers
bin
chart
config
db
dist
lib
log
nanobox
public
spec
streaming
vendor
.buildpacks
.codeclimate.yml
.dockerignore
.editorconfig
.env.nanobox
.env.production.sample
.env.test
.env.vagrant
.eslintignore
.eslintrc.js
.foreman
.gitattributes
.gitignore
.haml-lint.yml
.nanoignore
.nvmrc
.profile
.rspec
.rubocop.yml
.ruby-version
.sass-lint.yml
.slugignore
.yarnclean
AUTHORS.md
Aptfile
CHANGELOG.md
CODE_OF_CONDUCT.md
CONTRIBUTING.md
Capfile
Dockerfile
Gemfile
Gemfile.lock
LICENSE
Procfile
Procfile.dev
README.md
Rakefile
SECURITY.md
Vagrantfile
app.json
babel.config.js
boxfile.yml
config.ru
crowdin.yml
docker-compose.yml
ide-helper.js
package.json
postcss.config.js
priv-config
scalingo.json
yarn.lock
844870273f
While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method
35 lines
807 B
Ruby
35 lines
807 B
Ruby
# frozen_string_literal: true
|
|
|
|
class Auth::PasswordsController < Devise::PasswordsController
|
|
before_action :check_validity_of_reset_password_token, only: :edit
|
|
before_action :set_body_classes
|
|
|
|
layout 'auth'
|
|
|
|
def update
|
|
super do |resource|
|
|
if resource.errors.empty?
|
|
resource.session_activations.destroy_all
|
|
resource.forget_me!
|
|
end
|
|
end
|
|
end
|
|
|
|
private
|
|
|
|
def check_validity_of_reset_password_token
|
|
unless reset_password_token_is_valid?
|
|
flash[:error] = I18n.t('auth.invalid_reset_password_token')
|
|
redirect_to new_password_path(resource_name)
|
|
end
|
|
end
|
|
|
|
def set_body_classes
|
|
@body_classes = 'lighter'
|
|
end
|
|
|
|
def reset_password_token_is_valid?
|
|
resource_class.with_reset_password_token(params[:reset_password_token]).present?
|
|
end
|
|
end
|