Set an expiration for password reset tokens

README.md

@@ -32,6 +32,9 @@ The generator:
 * Creates an initializer to allow further configuration.
 * Creates a migration that either creates a users table or adds any necessary
   columns to the existing table.
+* Creates a `PasswordReset` model.
+* Creates a migration to remove the `confirmation_token` column from the users
+table if it exists.
 
 ## Configure
 
@@ -47,6 +50,7 @@ Clearance.configure do |config|
   config.routes = true
   config.httponly = false
   config.mailer_sender = '[email protected]'
+  config.password_reset_time_limit = 20.minutes
   config.password_strategy = Clearance::PasswordStrategies::BCrypt
   config.redirect_url = '/'
   config.secure_cookie = false
@@ -106,15 +110,34 @@ helpers. For example:
 
 ### Password Resets
 
-When a user resets their password, Clearance delivers them an email. You
-should change the `mailer_sender` default, used in the email's "from" header:
+When a user resets their password, Clearance sends them an email.
+
+By default, the password reset token expires in 15 minutes. You can change the
+time limit by passing in an `ActiveSupport::Duration` to
+`config.password_reset_time_limit`.
+
+You should also change the `mailer_sender` default, which used in the email's
+"from" header:
 
 ```ruby
 Clearance.configure do |config|
   config.mailer_sender = '[email protected]'
+  config.password_reset_time_limit = 1.hour
 end
 ```
 
+*Existing users*: If your app is already using Clearance but it does not have
+the token expiration feature, you can generate and run the migrations:
+
+```shell
+rails generate clearance:password_reset_migration
+```
+
+This will create a migration for the new password_resets table. If there are any
+existing password resets (i.e. any user with a confirmation token), those will
+be migrated over to the new table with its expiration set to the time limit
+configured.
+
 ### Integrating with Rack Applications
 
 Clearance adds its session to the Rack environment hash so middleware and other
@@ -241,8 +264,8 @@ If you are using an earlier version of Rails, you can override the
 
 ```ruby
 class PasswordsController < Clearance::PasswordsController
-  def deliver_email(user)
-    ClearanceMailer.delay.change_password(user)
+  def deliver_email(password_reset)
+    ClearanceMailer.delay.change_password(password_reset)
   end
 end
 ```

app/controllers/clearance/passwords_controller.rb

@@ -3,18 +3,18 @@
 class Clearance::PasswordsController < Clearance::BaseController
   skip_before_filter :require_login, only: [:create, :edit, :new, :update]
   skip_before_filter :authorize, only: [:create, :edit, :new, :update]
-  before_filter :ensure_existing_user, only: [:edit, :update]
+  before_filter :ensure_valid_password_reset, only: [:edit, :update]
 
   def create
     if user = find_user_for_create
-      user.forgot_password!
-      deliver_email(user)
+      password_reset = PasswordReset.create!(user: user)
+      deliver_email(password_reset)
     end
     render template: 'passwords/create'
   end
 
   def edit
-    @user = find_user_for_edit
+    @password_reset = find_active_password_reset
     render template: 'passwords/edit'
   end
 
@@ -23,10 +23,10 @@ def new
   end
 
   def update
-    @user = find_user_for_update
+    @password_reset = find_active_password_reset
 
-    if @user.update_password password_reset_params
-      sign_in @user
+    if @password_reset.complete(password_reset_params)
+      sign_in @password_reset.user
       redirect_to url_after_update
     else
       flash_failure_after_update
@@ -36,8 +36,8 @@ def update
 
   private
 
-  def deliver_email(user)
-    mail = ::ClearanceMailer.change_password(user)
+  def deliver_email(password_reset)
+    mail = ::ClearanceMailer.change_password(password_reset)
 
     if Gem::Version.new(Rails::VERSION::STRING) >= Gem::Version.new("4.2.0")
       mail.deliver_later
@@ -55,28 +55,23 @@ def password_reset_params
     end
   end
 
-  def find_user_by_id_and_confirmation_token
-    user_param = Clearance.configuration.user_id_parameter
+  def find_active_password_reset
+    @find_active_password_reset ||= PasswordReset.
+      active_for(params[user_param]).
+      find_by_token(params[:token])
+  end
 
-    Clearance.configuration.user_model.
-      find_by_id_and_confirmation_token params[user_param], params[:token].to_s
+  def user_param
+    Clearance.configuration.user_id_parameter
   end
 
   def find_user_for_create
     Clearance.configuration.user_model.
       find_by_normalized_email params[:password][:email]
   end
 
-  def find_user_for_edit
-    find_user_by_id_and_confirmation_token
-  end
-
-  def find_user_for_update
-    find_user_by_id_and_confirmation_token
-  end
-
-  def ensure_existing_user
-    unless find_user_by_id_and_confirmation_token
+  def ensure_valid_password_reset
+    unless find_active_password_reset
       flash_failure_when_forbidden
       render template: "passwords/new"
     end

app/mailers/clearance_mailer.rb

@@ -1,9 +1,11 @@
 class ClearanceMailer < ActionMailer::Base
-  def change_password(user)
-    @user = user
+  def change_password(password_reset)
+    @password_reset = password_reset
+    @time_limit = PasswordReset.time_limit
+
     mail(
       from: Clearance.configuration.mailer_sender,
-      to: @user.email,
+      to: @password_reset.user_email,
       subject: I18n.t(
         :change_password,
         scope: [:clearance, :models, :clearance_mailer],

app/models/password_reset.rb

@@ -0,0 +1,62 @@
+class PasswordReset < ActiveRecord::Base
+  before_create :generate_token, :generate_expiration_timestamp
+
+  belongs_to :user
+
+  validates :user_id, presence: true
+
+  delegate :email, to: :user, prefix: true
+
+  def self.active_for(user_id)
+    where(
+      "#{Clearance.configuration.user_id_parameter} = ? AND expires_at > ?",
+      user_id,
+      Time.zone.now
+    )
+  end
+
+  def self.time_limit
+    Clearance.configuration.password_reset_time_limit
+  end
+
+  def complete(new_password)
+    reset_successful = false
+
+    transaction do
+      unless user.update_password(new_password)
+        raise ActiveRecord::Rollback
+      end
+
+      deactivate_user_resets
+      reset_successful = true
+    end
+
+    reset_successful
+  end
+
+  def deactivate
+    update_attributes(expires_at: Time.zone.now)
+  end
+
+  def expired?
+    expires_at <= Time.zone.now
+  end
+
+  private
+
+  def active?
+    !expired?
+  end
+
+  def deactivate_user_resets
+    Clearance::PasswordResetsDeactivator.new(user).run
+  end
+
+  def generate_token
+    self.token = Clearance::Token.new
+  end
+
+  def generate_expiration_timestamp
+    self.expires_at = self.class.time_limit.from_now
+  end
+end

app/views/clearance_mailer/change_password.html.erb

@@ -1,8 +1,8 @@
-<p><%= t(".opening") %></p>
+<p><%= t(".opening", time_limit: distance_of_time_in_words(@time_limit)) %></p>
 
 <p>
   <%= link_to t(".link_text", default: "Change my password"),
-    edit_user_password_url(@user, token: @user.confirmation_token.html_safe) %>
+    edit_user_password_url(@password_reset.user, token: @password_reset.token) %>
 </p>
 
 <p><%= raw t(".closing") %></p>

app/views/clearance_mailer/change_password.text.erb

@@ -1,5 +1,5 @@
-<%= t(".opening") %></p>
+<%= t(".opening", time_limit: distance_of_time_in_words(@time_limit)) %>
 
-<%= edit_user_password_url(@user, token: @user.confirmation_token.html_safe) %>
+<%= edit_user_password_url(@password_reset.user, token: @password_reset.token) %>
 
 <%= raw t(".closing") %>

app/views/passwords/edit.html.erb

@@ -4,8 +4,8 @@
   <p><%= t(".description") %></p>
 
   <%= form_for :password_reset,
-        url: user_password_path(@user, token: @user.confirmation_token),
-        html: { method: :put } do |form| %>
+    url: user_password_path(@password_reset.user, token: @password_reset.token),
+    html: { method: :put } do |form| %>
     <div class="password-field">
       <%= form.label :password %>
       <%= form.password_field :password %>

config/locales/clearance.en.yml

@@ -6,10 +6,10 @@ en:
         not been changed.
       link_text: Change my password
       opening: "Someone, hopefully you, requested we send you a link to change
-        your password:"
+        your password. This link expires in %{time_limit}:"
   flashes:
     failure_after_create: Bad email or password.
-    failure_after_update: Password can't be blank.
+    failure_after_update: Something went wrong with the password you provided.
     failure_when_forbidden: Please double check the URL or try submitting
       the form again.
   helpers:

db/migrate/20150122204353_create_password_resets.rb

@@ -0,0 +1,12 @@
+class CreatePasswordResets < ActiveRecord::Migration
+  def change
+    create_table :password_resets do |t|
+      t.integer :user_id, null: false
+      t.string :token, null: false
+      t.datetime :expires_at, null: false
+      t.timestamps null: false
+    end
+
+    add_index :password_resets, [:user_id, :expires_at]
+  end
+end

db/migrate/20150127232904_remove_confirmation_token_from_users.rb

@@ -0,0 +1,36 @@
+class RemoveConfirmationTokenFromUsers < ActiveRecord::Migration
+  def up
+    execute <<-SQL
+      INSERT INTO password_resets
+        (user_id, token, expires_at, created_at, updated_at)
+      SELECT
+        users.id,
+        users.confirmation_token,
+        '#{expiration_timestamp}',
+        CURRENT_TIMESTAMP,
+        CURRENT_TIMESTAMP
+      FROM users
+      WHERE users.confirmation_token IS NOT NULL
+    SQL
+
+    remove_column :users, :confirmation_token
+  end
+
+  def expiration_timestamp
+    Clearance.
+      configuration.
+      password_reset_time_limit.
+      from_now
+  end
+
+  def down
+    add_column :users, :confirmation_token, :string, limit: 128
+
+    execute <<-SQL
+      UPDATE users
+      SET confirmation_token =
+        (SELECT token FROM password_resets
+         WHERE users.id = password_resets.user_id)
+    SQL
+  end
+end

db/schema.rb

@@ -11,14 +11,23 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20110111224543) do
+ActiveRecord::Schema.define(version: 20150127232904) do
 
-  create_table "users", force: true do |t|
+  create_table "password_resets", force: :cascade do |t|
+    t.integer  "user_id",    null: false
+    t.string   "token",      null: false
+    t.datetime "expires_at", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+  end
+
+  add_index "password_resets", ["user_id", "expires_at"], name: "index_password_resets_on_user_id_and_expires_at"
+
+  create_table "users", force: :cascade do |t|
     t.datetime "created_at",                     null: false
     t.datetime "updated_at",                     null: false
     t.string   "email",                          null: false
     t.string   "encrypted_password", limit: 128, null: false
-    t.string   "confirmation_token", limit: 128
     t.string   "remember_token",     limit: 128, null: false
   end
 

lib/clearance.rb

@@ -6,6 +6,7 @@
 require 'clearance/controller'
 require 'clearance/user'
 require 'clearance/engine'
+require "clearance/password_resets_deactivator"
 require 'clearance/password_strategies'
 require 'clearance/constraints'
 

lib/clearance/configuration.rb

@@ -47,6 +47,11 @@ class Configuration
     # @return [String]
     attr_accessor :mailer_sender
 
+    # The time limit given to the user before their password reset token expires
+    # Defaults to 20.minutes (900 seconds)
+    # @return [ActiveSupport::Duration]
+    attr_accessor :password_reset_time_limit
+
     # The password strategy to use when authenticating and setting passwords.
     # Defaults to `Clearance::PasswordStrategies::BCrypt`.
     # @return [Class #authenticated? #password=]
@@ -93,6 +98,7 @@ def initialize
       @cookie_name = "remember_token"
       @httponly = false
       @mailer_sender = '[email protected]'
+      @password_reset_time_limit = 20.minutes
       @redirect_url = '/'
       @routes = true
       @secure_cookie = false

lib/clearance/password_resets_deactivator.rb

@@ -0,0 +1,19 @@
+module Clearance
+  class PasswordResetsDeactivator
+    def initialize(user)
+      @user = user
+    end
+
+    def run
+      active_password_resets.each(&:deactivate)
+    end
+
+    private
+
+    attr_reader :user
+
+    def active_password_resets
+      PasswordReset.active_for(user)
+    end
+  end
+end