Add a default password reset token to has_secure_password (rails#52483)

* Add a default password reset token to has_secure_password

* I hate this

* Assist debugging

* Add CHANGELOG entry

Author: dhh

activemodel/CHANGELOG.md

@@ -1,3 +1,23 @@
+*   Add a default token generator for password reset tokens when using `has_secure_password`.
+
+    ```ruby
+    class User < ApplicationRecord
+      has_secure_password
+    end
+
+    user = User.create!(name: "david", password: "123", password_confirmation: "123")
+    token = user.password_reset_token
+    User.find_by_password_reset_token(token) # returns user
+
+    # 16 minutes later...
+    User.find_by_password_reset_token(token) # returns nil
+
+    # raises ActiveSupport::MessageVerifier::InvalidSignature since the token is expired
+    User.find_by_password_reset_token!(token)
+    ```
+
+    *DHH*
+
 *   Add a load hook `active_model_translation` for `ActiveModel::Translation`.
 
     *Shouichi Kamiya*

activemodel/lib/active_model/secure_password.rb

@@ -39,6 +39,10 @@ module ClassMethods
       # <tt>validations: false</tt> as an argument. This allows complete
       # customizability of validation behavior.
       #
+      # Finally, a password reset token that's valid for 15 minutes after issue
+      # is automatically configured when +reset_token+ is set to true (which it is by default)
+      # and the object reponds to +generates_token_for+ (which Active Records do).
+      #
       # To use +has_secure_password+, add bcrypt (~> 3.1.7) to your Gemfile:
       #
       #   gem "bcrypt", "~> 3.1.7"
@@ -98,7 +102,18 @@ module ClassMethods
       #   account.is_guest = true
       #   account.valid? # => true
       #
-      def has_secure_password(attribute = :password, validations: true)
+      # ===== Using the password reset token
+      #
+      #   user = User.create!(name: "david", password: "123", password_confirmation: "123")
+      #   token = user.password_reset_token
+      #   User.find_by_password_reset_token(token) # returns user
+      #
+      #   # 16 minutes later...
+      #   User.find_by_password_reset_token(token) # returns nil
+      #
+      #   # raises ActiveSupport::MessageVerifier::InvalidSignature since the token is expired
+      #   User.find_by_password_reset_token!(token)
+      def has_secure_password(attribute = :password, validations: true, reset_token: true)
         # Load bcrypt gem only when has_secure_password is used.
         # This is to avoid ActiveModel (and by extension the entire framework)
         # being dependent on a binary library.
@@ -109,7 +124,7 @@ def has_secure_password(attribute = :password, validations: true)
           raise
         end
 
-        include InstanceMethodsOnActivation.new(attribute)
+        include InstanceMethodsOnActivation.new(attribute, reset_token: reset_token)
 
         if validations
           include ActiveModel::Validations
@@ -142,11 +157,30 @@ def has_secure_password(attribute = :password, validations: true)
 
           validates_confirmation_of attribute, allow_blank: true
         end
+
+        # Only generate tokens for records that are capable of doing so (Active Records, not vanilla Active Models)
+        if reset_token && respond_to?(:generates_token_for)
+          generates_token_for :"#{attribute}_reset", expires_in: 15.minutes do
+            public_send(:"#{attribute}_salt")&.last(10)
+          end
+
+          class_eval <<-RUBY, __FILE__, __LINE__ + 1
+            silence_redefinition_of_method :find_by_#{attribute}_reset_token
+            def self.find_by_#{attribute}_reset_token(token)
+              find_by_token_for("#{attribute}_reset", token)
+            end
+
+            silence_redefinition_of_method :find_by_#{attribute}_reset_token!
+            def self.find_by_#{attribute}_reset_token!(token)
+              find_by_token_for!("#{attribute}_reset", token)
+            end
+          RUBY
+        end
       end
     end
 
     class InstanceMethodsOnActivation < Module
-      def initialize(attribute)
+      def initialize(attribute, reset_token:)
         attr_reader attribute
 
         define_method("#{attribute}=") do |unencrypted_password|
@@ -184,6 +218,13 @@ def initialize(attribute)
         end
 
         alias_method :authenticate, :authenticate_password if attribute == :password
+
+        if reset_token
+          # Returns the class-level configured reset token for the password.
+          define_method("#{attribute}_reset_token") do
+            generate_token_for("#{attribute}_reset")
+          end
+        end
       end
     end
   end

activemodel/test/cases/secure_password_test.rb

@@ -2,6 +2,7 @@
 
 require "cases/helper"
 require "models/user"
+require "models/pilot"
 require "models/visitor"
 
 class SecurePasswordTest < ActiveModel::TestCase
@@ -12,6 +13,7 @@ class SecurePasswordTest < ActiveModel::TestCase
 
     @user = User.new
     @visitor = Visitor.new
+    @pilot = Pilot.new
 
     # Simulate loading an existing user from the DB
     @existing_user = User.new
@@ -314,4 +316,12 @@ class SecurePasswordTest < ActiveModel::TestCase
     @user.password = "secret"
     assert_equal BCrypt::Engine::MIN_COST, @user.password_digest.cost
   end
+
+  test "password reset token" do
+    assert_not @person.respond_to? :password_reset_token
+    assert_equal "password_reset-token-900", @pilot.password_reset_token
+
+    assert_equal "finding-for-password_reset-by-999", Pilot.find_by_password_reset_token("999")
+    assert_equal "finding-for-password_reset-by-999!", Pilot.find_by_password_reset_token!("999")
+  end
 end

activemodel/test/models/pilot.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class Pilot
+  include ActiveModel::Attributes
+  include ActiveModel::SecurePassword
+
+  def self.generates_token_for(purpose, expires_in: nil)
+    @@expires_in = expires_in
+  end
+
+  def self.find_by_token_for(purpose, token)
+    "finding-for-#{purpose}-by-#{token}"
+  end
+
+  def self.find_by_token_for!(purpose, token)
+    "finding-for-#{purpose}-by-#{token}!"
+  end
+
+  def generate_token_for(purpose)
+    "#{purpose}-token-#{@@expires_in}"
+  end
+
+  attribute :password_digest
+  has_secure_password
+end