Password reset flow that avoids user enumeration and token leaks

6929 views

                  user = User.find_by(email: params[:email].to_s.downcase.strip)

if user
  raw_token = SecureRandom.urlsafe_base64(32)
  user.password_resets.create!(token_digest: Digest::SHA256.hexdigest(raw_token), expires_at: 30.minutes.from_now)
  PasswordResetMailer.with(user: user, token: raw_token).deliver_later
end

render json: { message: 'If that account exists, reset instructions were sent.' }

Password reset endpoints should reveal as little as possible about account existence. I return the same response for known and unknown emails, store only token digests, and invalidate tokens after first use. Small response details here prevent large information leaks later.

Kai Nakamura

More from Kai Nakamura

Password reset flow that avoids user enumeration and token leaks

0 Comments

More from Kai Nakamura