ruby
9 lines · 1 tab
Kai Nakamura
Apr 2026
1 tab
user = User.find_by(email: params[:email].to_s.downcase.strip)
if user
raw_token = SecureRandom.urlsafe_base64(32)
user.password_resets.create!(token_digest: Digest::SHA256.hexdigest(raw_token), expires_at: 30.minutes.from_now)
PasswordResetMailer.with(user: user, token: raw_token).deliver_later
end
render json: { message: 'If that account exists, reset instructions were sent.' }
1 file · ruby
Explain with highlit
Password reset endpoints should reveal as little as possible about account existence. I return the same response for known and unknown emails, store only token digests, and invalidate tokens after first use. Small response details here prevent large information leaks later.
Share this code
Here's the card — post it anywhere.