Add reset_password_verifies_account feature

jeremyevans · jeremyevans · commit fc8aaf39020c · 2026-02-21T10:42:28.000-08:00
This moves the related code from the reset_password feature to its own
feature, so that users only have to pay the cost for the feature if
they are using it.

Update the spec to provide 100% coverage.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,7 @@
+=== master
+
+* Add reset_password_verifies_account feature (manfrin, jeremyevans) (#499)
+
 === 2.42.0 (2025-12-18)
 
 * Avoid mixed string/symbol keys in JSON when using the jwt_refresh feature (jeremyevans)
diff --git a/README.rdoc b/README.rdoc
@@ -64,6 +64,7 @@ view the appropriate file in the doc directory.
 * {Remember}[rdoc-ref:doc/remember.rdoc]
 * {Reset Password}[rdoc-ref:doc/reset_password.rdoc]
 * {Reset Password Notify}[rdoc-ref:doc/reset_password_notify.rdoc]
+* {Reset Password Verifies Account}[rdoc-ref:doc/reset_password_verifies_account.rdoc]
 * {Session Expiration}[rdoc-ref:doc/session_expiration.rdoc]
 * {Single Session}[rdoc-ref:doc/single_session.rdoc]
 * {SMS Codes}[rdoc-ref:doc/sms_codes.rdoc]
diff --git a/demo-site/rodauth_demo.rb b/demo-site/rodauth_demo.rb
@@ -49,7 +49,7 @@ class App < Roda
   plugin :rodauth, :json=>true, :csrf=>:route_csrf do
     db DB
     enable :change_login, :change_password, :close_account, :create_account,
-           :lockout, :login, :logout, :remember, :reset_password, :verify_account,
+           :lockout, :login, :logout, :remember, :reset_password_verifies_account,
            :otp_modify_email, :otp_lockout_email, :recovery_codes, :sms_codes, :disallow_common_passwords,
            :disallow_password_reuse, :password_grace_period, :active_sessions, :jwt,
            :verify_login_change, :change_password_notify, :confirm_password,
diff --git a/doc/reset_password.rdoc b/doc/reset_password.rdoc
@@ -23,7 +23,6 @@ reset_password_email_subject :: The subject to use for the reset password reques
 reset_password_error_flash :: The flash error to show after resetting a password.
 reset_password_explanatory_text :: The text to display above the button to request a password reset.
 reset_password_id_column :: The id column in the +reset_password_table+, should be a foreign key referencing the accounts table.
-reset_password_implicitly_verifies? :: Whether resetting a password for an unverified account implicitly verifies the account, false by default.
 reset_password_key_column :: The reset password key/token column in the +reset_password_table+.
 reset_password_key_param :: The parameter name to use for the reset password key.
 reset_password_notice_flash :: The flash notice to show after resetting a password.
diff --git a/doc/reset_password_verifies_account.rdoc b/doc/reset_password_verifies_account.rdoc
@@ -0,0 +1,6 @@
+= Documentation for Reset Password Feature
+
+The reset password verifies account feature depends on both the reset
+password and verify account features, and makes it so that a valid
+password reset implicitly operates as an account verification, since
+it proves ownership of the related email address.
diff --git a/lib/rodauth/features/reset_password.rb b/lib/rodauth/features/reset_password.rb
@@ -32,7 +32,6 @@ module Rodauth
     auth_value_method :reset_password_deadline_interval, {:days=>1}.freeze
     auth_value_method :reset_password_key_param, 'key'
     auth_value_method :reset_password_autologin?, false
-    auth_value_method :reset_password_implicitly_verifies?, false
     auth_value_method :reset_password_table, :account_password_reset_keys
     auth_value_method :reset_password_id_column, :id
     auth_value_method :reset_password_key_column, :key
@@ -175,7 +174,7 @@ def create_reset_password_key
     end
 
     def reset_password_request_for_unverified_account
-      throw_error_reason(:unverified_account, unopen_account_error_status, login_param, unverified_account_message) unless reset_password_implicitly_verifies?
+      throw_error_reason(:unverified_account, unopen_account_error_status, login_param, unverified_account_message)
     end
 
     def remove_reset_password_key
@@ -232,14 +231,6 @@ def after_login_failure
       super
     end
 
-    def after_reset_password
-      super if defined?(super)
-      if reset_password_implicitly_verifies? && !open_account?
-        verify_account
-        remove_verify_account_key
-      end
-    end
-
     def generate_reset_password_key_value
       @reset_password_key_value = random_key
     end
@@ -267,9 +258,7 @@ def _account_from_reset_password_key(token)
     end
 
     def reset_password_account_status_value
-      statuses = [account_open_status_value]
-      statuses << account_unverified_status_value if reset_password_implicitly_verifies?
-      statuses
+      account_open_status_value
     end
   end
 end
diff --git a/lib/rodauth/features/reset_password_verifies_account.rb b/lib/rodauth/features/reset_password_verifies_account.rb
@@ -0,0 +1,26 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:reset_password_verifies_account, :ResetPasswordVerifiesAccount) do
+    depends :reset_password, :verify_account
+
+    def reset_password_request_for_unverified_account
+      nil
+    end
+
+    private
+
+    def after_reset_password
+      super
+
+      unless open_account?
+        verify_account
+        remove_verify_account_key
+      end
+    end
+
+    def reset_password_account_status_value
+      Array(super) << account_unverified_status_value
+    end
+  end
+end
diff --git a/spec/reset_password_spec.rb b/spec/reset_password_spec.rb
@@ -226,37 +226,6 @@
     page.current_path.must_equal '/reset-password-request'
   end
 
-  it "should support implicit verification when resetting passwords for unverified accounts" do
-    rodauth do
-      enable :login, :reset_password, :verify_account
-      reset_password_implicitly_verifies? true
-      reset_password_autologin? true
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
-    end
-
-    DB[:accounts].update(:status_id=>1)
-    DB[:account_verification_keys].insert(:id=>DB[:accounts].get(:id), :key=>'test')
-
-    visit '/reset-password-request'
-    fill_in 'Login', :with=>'foo@example.com'
-    click_button 'Request Password Reset'
-    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to reset the password for your account"
-
-    link = email_link(/(\/reset-password\?key=.+)$/)
-    visit link
-    fill_in 'Password', :with=>'0123456'
-    fill_in 'Confirm Password', :with=>'0123456'
-    click_button 'Reset Password'
-    page.find('#notice_flash').text.must_equal "Your password has been reset"
-    page.body.must_include("Logged In")
-
-    DB[:accounts].get(:status_id).must_equal 2
-    DB[:account_verification_keys].count.must_equal 0
-  end
-
   [true, false].each do |before|
     it "should clear reset password token when closing account, when loading reset_password #{before ? "before" : "after"}" do
       rodauth do
diff --git a/spec/reset_password_verifies_account_spec.rb b/spec/reset_password_verifies_account_spec.rb
@@ -0,0 +1,36 @@
+require_relative 'spec_helper'
+
+describe 'Rodauth reset_password_verifies_account feature' do
+  it "should support implicit verification when resetting passwords for unverified accounts" do
+    rodauth do
+      enable :login, :logout, :reset_password_verifies_account
+      reset_password_autologin? true
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
+    end
+
+    DB[:accounts].update(:status_id=>1)
+    DB[:account_verification_keys].insert(:id=>DB[:accounts].get(:id), :key=>'test')
+
+    2.times do |i|
+      visit '/reset-password-request'
+      fill_in 'Login', :with=>'foo@example.com'
+      click_button 'Request Password Reset'
+      page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to reset the password for your account"
+
+      link = email_link(/(\/reset-password\?key=.+)$/)
+      visit link
+      fill_in 'Password', :with=>"0123456#{i}"
+      fill_in 'Confirm Password', :with=>"0123456#{i}"
+      click_button 'Reset Password'
+      page.find('#notice_flash').text.must_equal "Your password has been reset"
+      page.body.must_include("Logged In")
+
+      DB[:accounts].get(:status_id).must_equal 2
+      DB[:account_verification_keys].count.must_equal 0
+      logout
+    end
+  end
+end
diff --git a/www/pages/documentation.erb b/www/pages/documentation.erb
@@ -48,6 +48,7 @@
   <li><a href="rdoc/files/doc/remember_rdoc.html">Remember</a>: Automatically logs a user in based on a token stored in a cookie.</li>
   <li><a href="rdoc/files/doc/reset_password_rdoc.html">Reset Password</a>: Allows users to reset their password if they don't remember it.</li>
   <li><a href="rdoc/files/doc/reset_password_notify_rdoc.html">Reset Password Notify</a>: Emails the user after they have used the Reset Password feature to successfully reset their password.</li>
+  <li><a href="rdoc/files/doc/reset_password_verifies_account.html">Reset Password Verifies Account</a>: Allows password resets for unverified accounts, and verifies account on successful password reset.</li>
   <li><a href="rdoc/files/doc/session_expiration_rdoc.html">Session Expiration</a>: Expires sessions automatically based on inactivity or max lifetime checks.</li>
   <li><a href="rdoc/files/doc/single_session_rdoc.html">Single Session</a>: Allows only a single active session per account.</li>
   <li><a href="rdoc/files/doc/sms_codes_rdoc.html">SMS Codes</a>: Adds support for multifactor authentication via codes received via SMS.</li>
