diff --git a/app/controllers/login_controller.rb b/app/controllers/login_controller.rb index f604cde..ecdf166 100644 --- a/app/controllers/login_controller.rb +++ b/app/controllers/login_controller.rb @@ -55,25 +55,29 @@ class LoginController < ApplicationController def set_new_password @title = "Reset Password" - if params[:token].blank? || - !(@reset_user = User.where(:password_reset_token => params[:token].to_s).first) + if (m = params[:token].to_s.match(/^(\d+)-/)) && + (Time.now - Time.at(m[1].to_i)) < 24.hours + @reset_user = User.where(:password_reset_token => params[:token].to_s).first + end + + if @reset_user + if params[:password].present? + @reset_user.password = params[:password] + @reset_user.password_confirmation = params[:password_confirmation] + @reset_user.password_reset_token = nil + + # this will get reset upon save + @reset_user.session_token = nil + + if @reset_user.save && @reset_user.is_active? + session[:u] = @reset_user.session_token + return redirect_to "/" + end + end + else flash[:error] = "Invalid reset token. It may have already been " << "used or you may have copied it incorrectly." return redirect_to forgot_password_url end - - if params[:password].present? - @reset_user.password = params[:password] - @reset_user.password_confirmation = params[:password_confirmation] - @reset_user.password_reset_token = nil - - # this will get reset upon save - @reset_user.session_token = nil - - if @reset_user.save && @reset_user.is_active? - session[:u] = @reset_user.session_token - return redirect_to "/" - end - end end end diff --git a/app/models/user.rb b/app/models/user.rb index c7e96eb..f3abc17 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -174,7 +174,7 @@ class User < ActiveRecord::Base end def initiate_password_reset_for_ip(ip) - self.password_reset_token = Utils.random_str(40) + self.password_reset_token = "#{Time.now.to_i}-#{Utils.random_str(30)}" self.save! PasswordReset.password_reset_link(self, ip).deliver