Skip to content

Remove html_safe from password reset error messages #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dadachi merged 1 commit into from
Mar 12, 2026
Merged

Remove html_safe from password reset error messages #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 2 additions & 4 deletions app/controllers/shopkeeper_auth/passwords_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ def render_error_not_allowed_redirect_url
end

def render_not_found_error
render json: {code: 404, error_message: I18n.t("devise_token_auth.passwords.user_not_found", email: @email)}, status: :not_found
render json: {success: true, message: I18n.t("devise_token_auth.passwords.sended_paranoid")}, status: :ok
end

def render_create_error(errors)
Expand Down Expand Up @@ -48,13 +48,11 @@ def render_update_error_missing_password
end

def render_update_error
error_messages = @resource.errors.full_messages.flatten.join("<br/>").html_safe

redirect_to(
edit_shopkeeper_auth_reset_password_path(
reset_password_token: params[:reset_password_token]
),
alert: error_messages
alert: @resource.errors.full_messages.to_sentence
)
end
end
2 changes: 1 addition & 1 deletion config/initializers/devise_token_auth.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
# Uncomment to enforce current_password param to be checked before all
# attribute updates. Set it to :password if you want it to be checked only if
# password is updated.
# config.check_current_password_before_update = :attributes
config.check_current_password_before_update = :password

# By default we will use callbacks for single omniauth.
# It depends on fields like email, provider and uid.
Expand Down
22 changes: 19 additions & 3 deletions test/controllers/shopkeeper_auth/passwords_controller_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,15 +35,31 @@ def setup
assert_equal 401, JSON.parse(response.body)["code"]
end

test "should return not found for non-existent email" do
test "should redirect with error when password update fails validation" do
token = @shopkeeper.send(:set_reset_password_token)

patch shopkeeper_password_url,
params: {
reset_password_token: token,
password: "short",
password_confirmation: "mismatch"
}

assert_response :redirect
assert_match "edit", response.location
follow_redirect!
assert_select ".bg-yellow-50"
end

test "should return generic success for non-existent email to prevent enumeration" do
post shopkeeper_password_url,
params: {
email: "nonexistent@example.com",
redirect_url: "http://localhost:3000/reset"
},
as: :json

assert_response :not_found
assert_equal 404, JSON.parse(response.body)["code"]
assert_response :ok
assert JSON.parse(response.body)["success"]
end
end