wronglucky

author: floppydiskette <floppydisk@hyprcat.net> 2024-09-13 12:58:12 +0100
committer: floppydiskette <floppydisk@hyprcat.net> 2024-09-13 12:59:16 +0100
commit: 2c3400fb4f5a22951d42f286975201bf817d7883 (patch)
tree: a08b06f5f6d5df4f6774da7645d85418609a4cf2 /src/actions/password_resets/new.cr
parent: d8915dcca4d9752f6f254e86afa39ef7f83617d1 (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/src/actions/password_resets/new.cr b/src/actions/password_resets/new.cr
new file mode 100644
index 0000000..5503468
--- /dev/null
+++ b/src/actions/password_resets/new.cr
@@ -0,0 +1,20 @@
+class PasswordResets::New < BrowserAction
+  include Auth::PasswordResets::Base
+
+  param token : String
+
+  get "/password_resets/:user_id" do
+    redirect_to_edit_form_without_token_param
+  end
+
+  # This is to prevent password reset tokens from being scraped in the HTTP Referer header
+  # See more info here: https://github.com/thoughtbot/clearance/pull/707
+  private def redirect_to_edit_form_without_token_param
+    make_token_available_to_future_actions
+    redirect to: PasswordResets::Edit.with(user_id)
+  end
+
+  private def make_token_available_to_future_actions
+    session.set(:password_reset_token, token)
+  end
+end
author	floppydiskette <floppydisk@hyprcat.net>	2024-09-13 12:58:12 +0100
committer	floppydiskette <floppydisk@hyprcat.net>	2024-09-13 12:59:16 +0100
commit	2c3400fb4f5a22951d42f286975201bf817d7883 (patch)
tree	a08b06f5f6d5df4f6774da7645d85418609a4cf2 /src/actions/password_resets/new.cr
parent	d8915dcca4d9752f6f254e86afa39ef7f83617d1 (diff)