Handle expired reset_password_tokens on passwords#update (#1662)

catks · web-flow · commit 3c32d15ae195 · 2025-11-13T08:12:41.000-03:00
* Handle expired reset_password_tokens on update

* fixup! Handle expired reset_password_tokens on update
diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb
@@ -73,7 +73,7 @@ def update
       # make sure user is authorized
       if require_client_password_reset_token? && resource_params[:reset_password_token]
         @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
-        return render_update_error_unauthorized unless @resource
+        return render_update_error_unauthorized unless @resource && @resource.reset_password_period_valid?
 
         @token = @resource.create_token
       else
diff --git a/test/controllers/devise_token_auth/passwords_controller_test.rb b/test/controllers/devise_token_auth/passwords_controller_test.rb
@@ -746,6 +746,36 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           end
         end
 
+        describe 'with expired reset password token' do
+          before do
+            DeviseTokenAuth.require_client_password_reset_token = true
+            reset_password_token = @resource.send_reset_password_instructions
+            @resource.update! reset_password_sent_at: 2.days.ago
+
+            @new_password = Faker::Internet.password
+            @params = { password: @new_password,
+                        password_confirmation: @new_password,
+                        reset_password_token: reset_password_token }
+
+            put :update, params: @params
+
+            @data = JSON.parse(response.body)
+            @resource.reload
+          end
+
+          test 'request should fail' do
+            assert_equal 401, response.status
+          end
+
+          test 'new password should not authenticate user' do
+            assert !@resource.valid_password?(@new_password)
+          end
+
+          teardown do
+            DeviseTokenAuth.require_client_password_reset_token = false
+          end
+        end
+
         describe 'with invalid reset password token' do
           before do
             DeviseTokenAuth.require_client_password_reset_token = true
diff --git a/test/dummy/config/application.rb b/test/dummy/config/application.rb
@@ -2,6 +2,7 @@
 
 require File.expand_path('boot', __dir__)
 
+require 'logger'
 require 'action_controller/railtie'
 require 'action_mailer/railtie'
 require 'rails/generators'
