Add configurable password reset token expiration#1086
Open
aripollak wants to merge 5 commits intothoughtbot:mainfrom
Open
Add configurable password reset token expiration#1086aripollak wants to merge 5 commits intothoughtbot:mainfrom
aripollak wants to merge 5 commits intothoughtbot:mainfrom
Conversation
Fixes thoughtbot#465 Introduces `password_reset_token_expiration_in` configuration option (defaults to nil, preserving existing no-expiry behaviour). When set, `forgot_password!` stamps `confirmation_token_created_at` and `password_reset_token_expired?` enforces the window. The controller rejects expired tokens the same way it rejects invalid ones. The generator and migration templates add the new column so existing installs get it via the standard `rails generate clearance:install` additive migration path. Guards against the column not yet existing (pre-migration) so the feature is safe to deploy before running migrations.
Member
|
@aripollak Thanks for the PR. Looks promising! I'll do a proper code review next week and provide feedback. |
Member
|
@sej3506 you may also want to take a look :) |
aripollak
commented
Mar 16, 2026
Comment on lines
+77
to
+80
| # When set, `forgot_password!` records the time the token was issued. | ||
| # Tokens with no recorded issue time (e.g. issued before upgrading or | ||
| # before running the migration) are treated as expired, forcing users to | ||
| # re-request a reset. |
Author
There was a problem hiding this comment.
I'm guessing this is too much explanation for a configuration variable.
Member
|
@aripollak this looks good! We have a couple of upgrades/security releases we'd like to do first and then we'll ship this. Thank you! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I took a stab at implementing #465.
Introduces
password_reset_token_expiration_inconfiguration option (defaults to nil, preserving existing no-expiry behavior). When set,forgot_password!stampsconfirmation_token_created_atandpassword_reset_token_expired?enforces the window.The controller rejects expired tokens the same way it rejects invalid ones. The generator and migration templates add the new column so existing installs get it via the standard
rails generate clearance:installadditive migration path.Guards against the column not yet existing (pre-migration) so the feature is safe to deploy before running migrations.