Add password reset to authentication generator (rails#52472)

* Add password reset flow

* Stray CR

* Match link title

* Simplify the HTML

* No need to repeat

* Fix title

* No need for this CR

* Accidentally removed condition

* Fix token references need to be symbols

* Use new automated token generator

* Use new built-in password reset token and slim down controller

* Add preview and reset optionality

* Fix preview path and reset opt-out

* Simplify the HTML

* Fix problem with routes

* No need for password resets to be optional

Keep it simple

Author: dhh

railties/lib/rails/generators/erb/authentication/authentication_generator.rb

@@ -6,6 +6,8 @@ module Erb # :nodoc:
   module Generators # :nodoc:
     class AuthenticationGenerator < Rails::Generators::Base # :nodoc:
       def create_files
+        template "views/passwords/new.html.erb", File.join("app/views/passwords/new.html.erb")
+        template "views/passwords/edit.html.erb", File.join("app/views/passwords/edit.html.erb")
         template "views/sessions/new.html.erb", File.join("app/views/sessions/new.html.erb")
       end
     end

railties/lib/rails/generators/erb/authentication/templates/views/passwords/edit.html.erb

@@ -0,0 +1,9 @@
+<h1>Update your password</h2>
+
+<%%= tag.div(flash[:alert], style: "color:red") if flash[:alert] %>
+
+<%%= form_with url: password_path(params[:token]), method: :put do |form| %>
+  <%%= form.password_field :password, required: true, autocomplete: "off", placeholder: "Enter new password", maxlength: 72 %><br>
+  <%%= form.password_field :password_confirmation, required: true, autocomplete: "off", placeholder: "Repeat new password", maxlength: 72 %><br>
+  <%%= form.submit "Save" %>
+<%% end %>

railties/lib/rails/generators/erb/authentication/templates/views/passwords/new.html.erb

@@ -0,0 +1,8 @@
+<h1>Forgot your password?</h1>
+
+<%%= tag.div(flash[:alert], style: "color:red") if flash[:alert] %>
+
+<%%= form_with url: passwords_path do |form| %>
+  <%%= form.email_field :email_address, required: true, autofocus: true, autocomplete: "username", placeholder: "Enter your email address", value: params[:email_address] %><br>
+  <%%= form.submit "Email reset instructions" %>
+<%% end %>

railties/lib/rails/generators/erb/authentication/templates/views/sessions/new.html.erb

@@ -1,6 +1,5 @@
-<%% if alert = flash[:alert] %>
-  <div style="color:red"><%%= alert %></div>
-<%% end %>
+<%%= tag.div(flash[:alert], style: "color:red") if flash[:alert] %>
+<%%= tag.div(flash[:notice], style: "color:green") if flash[:notice] %>
 
 <%%= form_with url: session_path do |form| %>
   <div>
@@ -13,3 +12,6 @@
 
   <%%= form.submit "Sign in" %>
 <%% end %>
+<br>
+
+<%%= link_to "Forgot password?", new_password_path %>

railties/lib/rails/generators/rails/authentication/USAGE

@@ -1,5 +1,5 @@
 Description:
-    Generates a basic authentication system with users and sessions.
+    Generates a basic authentication system with users, sessions, and password reset.
 
 Example:
     `bin/rails generate authentication`

railties/lib/rails/generators/rails/authentication/authentication_generator.rb

@@ -10,17 +10,29 @@ class AuthenticationGenerator < Base # :nodoc:
         invoke template_engine unless options.api?
       end
 
-      def create_files
+      def create_authentication_files
         template "models/session.rb", File.join("app/models/session.rb")
         template "models/user.rb", File.join("app/models/user.rb")
         template "models/current.rb", File.join("app/models/current.rb")
 
         template "controllers/sessions_controller.rb", File.join("app/controllers/sessions_controller.rb")
         template "controllers/concerns/authentication.rb", File.join("app/controllers/concerns/authentication.rb")
+        template "controllers/passwords_controller.rb", File.join("app/controllers/passwords_controller.rb")
+
+        template "mailers/passwords_mailer.rb", File.join("app/mailers/passwords_mailer.rb")
+
+        template "views/passwords_mailer/reset.html.erb", File.join("app/views/passwords_mailer/reset.html.erb")
+        template "views/passwords_mailer/reset.text.erb", File.join("app/views/passwords_mailer/reset.text.erb")
+
+        template "test/mailers/previews/passwords_mailer_preview.rb", File.join("test/mailers/previews/passwords_mailer_preview.rb")
       end
 
-      def configure_application
+      def configure_application_controller
         gsub_file "app/controllers/application_controller.rb", /(class ApplicationController < ActionController::Base)/, "\\1\n  include Authentication"
+      end
+
+      def configure_authentication_routes
+        route "resources :passwords, param: :token"
         route "resource :session"
       end
 

railties/lib/rails/generators/rails/authentication/templates/controllers/passwords_controller.rb

@@ -0,0 +1,34 @@
+class PasswordsController < ApplicationController
+  allow_unauthenticated_access
+  before_action :set_user_by_token, only: %i[ edit update ]
+
+  def new
+  end
+
+  def create
+    if user = User.find_by(email_address: params[:email_address])
+      PasswordsMailer.reset(user).deliver_later
+    end
+
+    redirect_to new_session_url, notice: "Password reset instructions sent (if user with that email address exists)."
+  end
+
+  def edit
+  end
+
+  def update
+    if @user.update(params.permit(:password, :password_confirmation))
+      redirect_to new_session_url, notice: "Password has been reset."
+    else
+      redirect_to edit_password_url(params[:token]), alert: "Passwords did not match."
+    end
+  end
+
+  private
+    def set_user_by_token
+      @user = User.find_by_password_reset_token!(params[:token])
+    rescue ActiveSupport::MessageVerifier::InvalidSignature
+      redirect_to new_password_url, alert: "Password reset link is invalid or has expired."
+    end
+end
+

railties/lib/rails/generators/rails/authentication/templates/mailers/passwords_mailer.rb

@@ -0,0 +1,6 @@
+class PasswordsMailer < ApplicationMailer
+  def reset(user)
+    @user = user
+    mail subject: "Reset your password", to: user.email_address, from: "[email protected]"
+  end
+end

railties/lib/rails/generators/rails/authentication/templates/models/user.rb

@@ -1,4 +1,4 @@
 class User < ApplicationRecord
-  has_secure_password validations: false
+  has_secure_password
   has_many :sessions, dependent: :destroy
 end

railties/lib/rails/generators/rails/authentication/templates/test/mailers/previews/passwords_mailer_preview.rb

@@ -0,0 +1,7 @@
+# Preview all emails at http://localhost:3000/rails/mailers/passwords_mailer
+class PasswordsMailerPreview < ActionMailer::Preview
+  # Preview this email at http://localhost:3000/rails/mailers/passwords_mailer/reset
+  def reset
+    PasswordsMailer.reset(User.take)
+  end
+end