Class: Spree::Api::V3::Store::Customer::PasswordResetsController

Inherits:
BaseController show all
Defined in:
app/controllers/spree/api/v3/store/customer/password_resets_controller.rb

Constant Summary

Constants inherited from BaseController

BaseController::RATE_LIMIT_RESPONSE

Constants included from Idempotent

Idempotent::IDEMPOTENCY_HEADER, Idempotent::IDEMPOTENCY_TTL, Idempotent::MAX_KEY_LENGTH, Idempotent::MUTATING_METHODS

Constants included from ErrorHandler

ErrorHandler::ERROR_CODES

Constants included from JwtAuthentication

JwtAuthentication::JWT_AUDIENCE_ADMIN, JwtAuthentication::JWT_AUDIENCE_STORE, JwtAuthentication::JWT_ISSUER, JwtAuthentication::USER_TYPE_ADMIN, JwtAuthentication::USER_TYPE_CUSTOMER

Instance Method Summary collapse

Methods included from ApiKeyAuthentication

#authenticate_api_key!, #authenticate_secret_key!

Methods included from JwtAuthentication

#authenticate_user, #require_authentication!

Instance Method Details

#createObject

POST /api/v3/store/password_resets



17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
# File 'app/controllers/spree/api/v3/store/customer/password_resets_controller.rb', line 17

def create
  redirect_url = params[:redirect_url]

  # Validate redirect_url against allowed origins (secure by default).
  # If no allowed origins are configured, redirect_url is silently ignored
  # to prevent open redirect / token exfiltration attacks.
  if redirect_url.present?
    if current_store.allowed_origins.exists? && current_store.allowed_origin?(redirect_url)
      # redirect_url is valid — keep it
    else
      redirect_url = nil
    end
  end

  user = Spree.user_class.find_by(email: params[:email])

  if user
    token = user.generate_token_for(:password_reset)
    event_payload = { reset_token: token, email: user.email }
    event_payload[:redirect_url] = redirect_url if redirect_url.present?
    user.publish_event('customer.password_reset_requested', event_payload)
  end

  # Always return 202 to prevent email enumeration
  render json: { message: Spree.t(:password_reset_requested, scope: :api) }, status: :accepted
end

#updateObject

PATCH /api/v3/store/password_resets/:id



45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
 
# File 'app/controllers/spree/api/v3/store/customer/password_resets_controller.rb', line 45

def update
  user = Spree.user_class.find_by_password_reset_token(params[:id])

  unless user
    return render_error(
      code: ERROR_CODES[:password_reset_token_invalid],
      message: Spree.t(:password_reset_token_invalid, scope: :api),
      status: :unprocessable_content
    )
  end

  if user.update(password: params[:password], password_confirmation: params[:password_confirmation])
    jwt = generate_jwt(user)
    refresh_token = Spree::RefreshToken.create_for(user, request_env: { ip_address: request.remote_ip, user_agent: request.user_agent&.truncate(255) })
    user.publish_event('customer.password_reset')

    render json: {
      token: jwt,
      refresh_token: refresh_token.token,
      user: serializer_class.new(user, params: serializer_params).to_h
    }
  else
    render_errors(user.errors)
  end
end