-
-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password reset should confirm users email #94
Comments
Valid point.
Then there is no way to retrigger the confirmation mail out of the box isn't it? A resend of the confirmation email could be triggered here automatically? |
There's a link to resend email verifications, but the user must be signed in. In your case, the user can contact the support team and they can resend the confirmation email. Of course, there are other options: 1 - Remove the requirement to only send password resets from verified accounts. |
I ran into this lock scenario today while testing and I feel like the current functionality basically tells hackers what email addresses exist in the system and which ones don't. This code generated by the gem feels like a security gap to me: def create
if @user = User.find_by(email: params[:email], verified: true)
send_password_reset_email
redirect_to sign_in_path, notice: "Check your email for reset instructions"
else
redirect_to new_identity_password_reset_path, alert: "You can't reset your password until you verify your email"
end
end My suggestion to fix this would be to allow password resets without email verification. def create
if @user = User.find_by(email: params[:email])
send_password_reset_email
end
redirect_to sign_in_path, notice: "Check your email for reset instructions"
end And then automatically re-send the email verification if a user resets their password on an account that isn't verified and remind the user to verify their email when the password reset is confirmed on the screen. |
I had a look at:
#80
In case a user forgot his password but never received a confirmation mail (be it some junk filter or broken mailer) he is basically locked out. On my applications I change it to still send out a password recovery link and when the link is used the user is confirmed automatically. This makes sense in my opinion, what do you think @lazaronixon .
Let me know if I should send in a PR :)
The text was updated successfully, but these errors were encountered: