Class: Spree::Api::V3::Admin::PasswordResetsController
- Inherits:
-
Admin::BaseController
- Object
- Admin::BaseController
- Spree::Api::V3::Admin::PasswordResetsController
- Includes:
- AuthCookies
- Defined in:
- app/controllers/spree/api/v3/admin/password_resets_controller.rb
Constant Summary
Constants included from AuthCookies
AuthCookies::COOKIE_PATH, AuthCookies::REFRESH_COOKIE_NAME
Instance Method Summary collapse
-
#create ⇒ Object
POST /api/v3/admin/password_resets.
-
#update ⇒ Object
PATCH /api/v3/admin/password_resets/:id.
Instance Method Details
#create ⇒ Object
POST /api/v3/admin/password_resets
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
# File 'app/controllers/spree/api/v3/admin/password_resets_controller.rb', line 19 def create redirect_url = params[:redirect_url] # Validate redirect_url against allowed origins (secure by default). # If no allowed origins are configured, redirect_url is silently ignored # to prevent open redirect / token exfiltration attacks. if redirect_url.present? unless current_store.allowed_origins.exists? && current_store.allowed_origin?(redirect_url) redirect_url = nil end end user = Spree.admin_user_class.find_by(email: params[:email]) if user token = user.generate_token_for(:password_reset) event_payload = { reset_token: token, email: user.email, store_id: current_store.prefixed_id } event_payload[:redirect_url] = redirect_url if redirect_url.present? user.publish_event('admin_user.password_reset_requested', event_payload) end # Always return 202 to prevent email enumeration render json: { message: Spree.t(:password_reset_requested, scope: :api) }, status: :accepted end |
#update ⇒ Object
PATCH /api/v3/admin/password_resets/:id
45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
# File 'app/controllers/spree/api/v3/admin/password_resets_controller.rb', line 45 def update user = Spree.admin_user_class.find_by_password_reset_token(params[:id]) unless user return render_error( code: ERROR_CODES[:password_reset_token_invalid], message: Spree.t(:password_reset_token_invalid, scope: :api), status: :unprocessable_content ) end if user.update(password: params[:password], password_confirmation: params[:password_confirmation]) user.publish_event('admin_user.password_reset') # A password reset must kill every existing session — a stolen # refresh token must not survive the victim resetting their # password. Revoke first, then mint the fresh token for this # browser (the auto-sign-in below). Spree::RefreshToken.revoke_all_for(user) refresh_token = Spree::RefreshToken.create_for(user, request_env: request_env_for_token) (refresh_token) render json: auth_response(user) else render_errors(user.errors) end end |