From 832d1e3bd742fd11a67ea12e92b06ac91c81980d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sun, 19 Feb 2023 14:41:16 +0800
Subject: [PATCH 1/4] Improve layout of password reset form

---
 app/views/devise/passwords/edit.html.erb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/views/devise/passwords/edit.html.erb b/app/views/devise/passwords/edit.html.erb
index adc8816..411f101 100644
--- a/app/views/devise/passwords/edit.html.erb
+++ b/app/views/devise/passwords/edit.html.erb
@@ -11,7 +11,7 @@
       <%= f.label :password, "New password" %>
     </p>
     <p>
-      <%= f.password_field :password, autofocus: true, autocomplete: "new-password" %>
+      <%= f.password_field :password, autofocus: true, autocomplete: "new-password", class: "w-full" %>
       <% if @minimum_password_length %>
         <br><em class="text-sm text-gray-500">(<%= @minimum_password_length %> characters minimum)</em>
       <% end %>
@@ -20,10 +20,10 @@
       <%= f.label :password_confirmation, "Confirm new password" %>
     </p>
     <p>
-      <%= f.password_field :password_confirmation, autocomplete: "new-password" %>
+      <%= f.password_field :password_confirmation, autocomplete: "new-password", class: "w-full"%>
     </p>
     <p class="mt-8">
-      <%= f.submit "Change my password", class: 'btn-md btn-blue' %>
+      <%= f.submit "Change my password", class: 'btn-md btn-blue w-full' %>
     </p>
   <% end %>
 

From b9259958f4882989893ff37e85faca8569d1037e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sun, 19 Feb 2023 14:41:45 +0800
Subject: [PATCH 2/4] Add spec to prove issue #28

---
 spec/features/devise/password_reset.rb | 32 ++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 spec/features/devise/password_reset.rb

diff --git a/spec/features/devise/password_reset.rb b/spec/features/devise/password_reset.rb
new file mode 100644
index 0000000..d31bc80
--- /dev/null
+++ b/spec/features/devise/password_reset.rb
@@ -0,0 +1,32 @@
+require 'rails_helper'
+
+RSpec.describe 'Password reset', type: :feature do
+  let(:user) { create :user }
+
+  before do
+    login_as user, :scope => :user
+  end
+
+  scenario 'Send password reset email' do
+    expect(user.reset_password_token).to be_nil
+
+    visit settings_account_path
+    click_button "Send me a password reset link"
+    expect(page).to have_content 'Please check your inbox'
+    expect(user.reload.reset_password_token).to be_a(String)
+  end
+
+  scenario "Reset password" do
+    # Generate a raw reset token, since the stored one is only a digest
+    token = user.send(:set_reset_password_token)
+    logout
+    visit edit_user_password_path(reset_password_token: token)
+    expect(page).to have_content 'Change your password'
+
+    fill_in :user_password, with: 'a new password'
+    fill_in :user_password_confirmation, with: 'a new password with a typo'
+    click_button 'Change my password'
+
+    expect(page).to have_content 'Confirmation does not match'
+  end
+end

From b67d6139ac32dfd740ea01d3e90b6b41f83c7dfd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sun, 19 Feb 2023 15:50:19 +0800
Subject: [PATCH 3/4] Fix password validation during password reset

fixes #28
---
 app/models/user.rb                     | 10 ++++---
 spec/features/devise/password_reset.rb | 40 ++++++++++++++++++++------
 2 files changed, 37 insertions(+), 13 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 660d53c..a627661 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -33,10 +33,12 @@ class User < ApplicationRecord
   end
 
   def reset_password(new_password, new_password_confirmation)
-    if new_password == new_password_confirmation && ::Devise.ldap_update_password
-      Devise::LDAP::Adapter.update_password(login_with, new_password)
-    end
-    clear_reset_password_token if valid?
+    self.password = new_password
+    self.password_confirmation = new_password_confirmation
+    return false unless valid?
+
+    Devise::LDAP::Adapter.update_password(login_with, new_password)
+    clear_reset_password_token
     save
   end
 
diff --git a/spec/features/devise/password_reset.rb b/spec/features/devise/password_reset.rb
index d31bc80..c12396c 100644
--- a/spec/features/devise/password_reset.rb
+++ b/spec/features/devise/password_reset.rb
@@ -16,17 +16,39 @@ RSpec.describe 'Password reset', type: :feature do
     expect(user.reload.reset_password_token).to be_a(String)
   end
 
-  scenario "Reset password" do
+  describe "Password reset form" do
     # Generate a raw reset token, since the stored one is only a digest
-    token = user.send(:set_reset_password_token)
-    logout
-    visit edit_user_password_path(reset_password_token: token)
-    expect(page).to have_content 'Change your password'
+    let(:token) { user.send(:set_reset_password_token) }
 
-    fill_in :user_password, with: 'a new password'
-    fill_in :user_password_confirmation, with: 'a new password with a typo'
-    click_button 'Change my password'
+    before do
+      logout
+    end
 
-    expect(page).to have_content 'Confirmation does not match'
+    scenario "Submit with invalid passwords" do
+      expect(Devise::LDAP::Adapter).not_to receive(:update_password)
+
+      visit edit_user_password_path(reset_password_token: token)
+      fill_in :user_password, with: 'nice try'
+      fill_in :user_password_confirmation, with: 'nice try o'
+      click_button 'Change my password'
+      expect(page).to have_content 'Password is too short'
+
+      fill_in :user_password, with: 'a new password'
+      fill_in :user_password_confirmation, with: 'a new password with a typo'
+      click_button 'Change my password'
+      expect(page).to have_content 'Password confirmation doesn\'t match'
+    end
+
+    scenario "Submit with valid passwords" do
+      expect(Devise::LDAP::Adapter).to receive(:update_password)
+        .with(user.cn, 'catch me if you can').and_return(true)
+
+      visit edit_user_password_path(reset_password_token: token)
+      fill_in :user_password, with: 'catch me if you can'
+      fill_in :user_password_confirmation, with: 'catch me if you can'
+      click_button 'Change my password'
+      expect(page).to have_content 'Your password has been changed successfully'
+      expect(user.reload.reset_password_token).to be_nil
+    end
   end
 end

From 7dae66959e16cf257e737100b976be2f1b1e22c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sun, 19 Feb 2023 15:51:00 +0800
Subject: [PATCH 4/4] Formatting

---
 app/views/devise/passwords/edit.html.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/devise/passwords/edit.html.erb b/app/views/devise/passwords/edit.html.erb
index 411f101..42375fe 100644
--- a/app/views/devise/passwords/edit.html.erb
+++ b/app/views/devise/passwords/edit.html.erb
@@ -20,7 +20,7 @@
       <%= f.label :password_confirmation, "Confirm new password" %>
     </p>
     <p>
-      <%= f.password_field :password_confirmation, autocomplete: "new-password", class: "w-full"%>
+      <%= f.password_field :password_confirmation, autocomplete: "new-password", class: "w-full" %>
     </p>
     <p class="mt-8">
       <%= f.submit "Change my password", class: 'btn-md btn-blue w-full' %>