Rails for Beginners Part 22: Password Reset Update Discussion

How do we invalidate a token once it's used? For example you can still use the same token even after you've already reset your password once. That would be nice to implement but not sure whether it's supported. Couldn't find anything about invalidating a token manually on their GitHub page.

How does the password reset form submit know to do a method of patch (instead of say post)? The form submission looks the same as with the registrations sign-up form, where it is a post.

In app/controllers/password_resets_controller.rb, the update method doesn't have a rescue (like edit does), but it still uses @user = User.find_signed!. This means that if the user gets to the password reset page and is authed successfully, but doesn't submit the page before the token expires, they will get an exception.

So one solution would be to have it look like this:

def update
@user = User.find_signed!(params[:token], purpose: "password_reset")
rescue ActiveSupport::MessageVerifier::InvalidSignature
redirect_to sign_in_path, alert: "Your token has expired. Please try again."
else
if @user.update(password_params)
redirect_to sign_in_path, notice: "Your password was reset successfully. Please sign in."
else
render :edit
end
end

Sorry -- the indentation didn't get saved in the above!

signed_id/find_signed is released with 6.1 version, What should be used in the older version i.e. < 6.1.
For the older version to_sgid() is working fine. How to decrypt token information again? Because find_signed is undefined in the older versions as mentioned.

Regards,