ruby 9 lines · 1 tab

Password reset flow that avoids user enumeration and token leaks

Kai Nakamura Apr 2026
1 tab
user = User.find_by(email: params[:email].to_s.downcase.strip)

if user
  raw_token = SecureRandom.urlsafe_base64(32)
  user.password_resets.create!(token_digest: Digest::SHA256.hexdigest(raw_token), expires_at: 30.minutes.from_now)
  PasswordResetMailer.with(user: user, token: raw_token).deliver_later
end

render json: { message: 'If that account exists, reset instructions were sent.' }
1 file · ruby Explain with highlit

Password reset endpoints should reveal as little as possible about account existence. I return the same response for known and unknown emails, store only token digests, and invalidate tokens after first use. Small response details here prevent large information leaks later.

Share this code

Here's the card — post it anywhere.

Password reset flow that avoids user enumeration and token leaks — share card
Link copied