Recently I needed to add "forgot your password?" to a Rails app built by my company. I had never done this before so I watched the Remember Me & Reset Password Railscasts screencast. It was infinitely helpful, but I added a few things that were not in the video that I would like to share here. I followed the screencast for the most part: Adding a
password_resets controller, in addition to following the
auth_token directions. One thing I added was an intermittent page, instructing the user to check their email. I used the
index.html.hamllayout for this. In addition I did not like it that users who hadn't requested a new password could access these pages, so I created a few redirects to prevent that. My index and new action show this redirect protection.
If a user attemps to go to the password_resets while already logged in they will be redirected to their profile, if they try to get there without being logged in they will be redirected to the login page, same with the new action.
I added the functionality to check whether the user's email was in the database and to return an error if it was invalid.
On the create action I have the page rendering the index instead of redirecting to maintain access to the email address so the view can display "An email has been sent to "insert email address". You must click the link in the email to reset your password."
Lastly, I wanted to make it more secure than the token expiring in 2 hours, so I added code that make the token expire if the user successfully changed their password. Once the user successfully changes their password
reset_pass_token will be erased from the database and will be redirected to their account profile, so they can edit other settings if they like otherwise, they recieve errors. If the new password save isn't successful within 2 hours the token will also expire.
The setup for "Forgot your password?" was rather easy and I learned a lot from implementing the functionality.