rubygems · martinemde · Jan 11, 2025 · Nov 29, 2024 · martinemde · Dec 1, 2024
diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
@@ -38,10 +38,11 @@ def update
       @user.reset_api_key! if reset_params[:reset_api_key] == "true" # singular
       @user.api_keys.expire_all! if reset_params[:reset_api_keys] == "true" # plural
       delete_password_reset_session
+      flash[:notice] = t(".success")
       redirect_to signed_in? ? dashboard_path : sign_in_path
     else
       flash.now[:alert] = t(".failure")
-      render :edit
+      render :edit, status: :unprocessable_entity
     end
   end
 
@@ -65,6 +66,7 @@ def ensure_email_present
 
   def validate_confirmation_token
     confirmation_token = params.permit(:token).fetch(:token, "").to_s
+    return login_failure(t("passwords.edit.token_failure")) if confirmation_token.blank?
     @user = User.find_by(confirmation_token:)
     return login_failure(t("passwords.edit.token_failure")) unless @user&.valid_confirmation_token?
     sign_out if signed_in? && @user != current_user
@@ -82,7 +84,7 @@ def password_reset_session_verified
 
   def validate_password_reset_session
     return login_failure(t("passwords.edit.token_failure")) if session[:password_reset_verified].nil?
-    return login_failure(t("verification_expired")) if session[:password_reset_verified] < Time.current
+    return login_failure(t("verification_expired")) if Time.current.after?(session[:password_reset_verified])
     @user = User.find_by(id: session[:password_reset_verified_user])
     login_failure(t("verification_expired")) unless @user
   end
@@ -98,8 +100,7 @@ def reset_params
   end
 
   def mfa_failure(message)
-    flash.now.alert = message
-    render template: "multifactor_auths/prompt", status: :unauthorized
+    prompt_mfa(alert: message, status: :unauthorized)
   end
 
   def login_failure(alert)

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -212,12 +212,12 @@ def total_rubygems_count
 
   def confirm_email!
     return false if unconfirmed_email && !update_email
-    update!(email_confirmed: true, confirmation_token: nil)
+    update!(email_confirmed: true, confirmation_token: nil, token_expires_at: Time.zone.now)
   end
 
-  # confirmation token expires after 15 minutes
+  # confirmation token expires after 3 hours
   def valid_confirmation_token?
-    token_expires_at > Time.zone.now
+    confirmation_token.present? && Time.zone.now.before?(token_expires_at)
   end
 
   def generate_confirmation_token(reset_unconfirmed_email: true)

diff --git a/app/views/multifactor_auths/prompt.html.erb b/app/views/multifactor_auths/prompt.html.erb
@@ -19,7 +19,7 @@
         <div class="text_field">
           <% if @user.totp_enabled? %>
             <%= label_tag :otp, t(".otp_or_recovery"), class: 'form__label' %>
-            <%= text_field_tag :otp, '', class: 'form__input', autofocus: true, autocomplete: :off %>
+            <%= text_field_tag :otp, '', class: 'form__input', autofocus: true, autocomplete: "one-time-code" %>
           <% elsif @user.webauthn_only_with_recovery? %>
             <%= text_field_tag :otp,
               '',

diff --git a/config/locales/de.yml b/config/locales/de.yml
@@ -543,6 +543,7 @@ de:
         Ändern deines Passworts.
       failure_on_missing_email: Die E-Mail darf nicht leer sein.
     update:
+      success:
       failure: Dein Passwort konnte nicht geändert werden. Bitte versuche es erneut.
   multifactor_auths:
     session_expired: Deine Sitzung auf der Anmeldeseite ist abgelaufen.

diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -474,6 +474,7 @@ en:
       success: You will receive an email within the next few minutes. It contains instructions for changing your password.
       failure_on_missing_email: Email can't be blank.
     update:
+      success: Your password has been changed.
       failure: Your password could not be changed. Please try again.
   multifactor_auths:
     session_expired: Your login page session has expired.
@@ -516,7 +517,7 @@ en:
       otp_code: OTP code
       otp_or_recovery: OTP or recovery code
       recovery_code: Recovery code
-      recovery_code_html: 'You can use a valid  <a href="https://guides.rubygems.org/setting-up-multifactor-authentication/#using-recovery-codes-and-re-setup-a-previously-enabled-mfa", class="t-link">recovery code</a> if you have lost access to your multi-factor authentication device or to your security device.'
+      recovery_code_html: 'You can use a valid <a href="https://guides.rubygems.org/setting-up-multifactor-authentication/#using-recovery-codes-and-re-setup-a-previously-enabled-mfa", class="t-link">recovery code</a> if you have lost access to your multi-factor authentication device or to your security device.'
       security_device: Security Device
       verify_code: Verify code
   totps:

diff --git a/config/locales/es.yml b/config/locales/es.yml
@@ -529,6 +529,7 @@ es:
       success:
       failure_on_missing_email:
     update:
+      success:
       failure:
   multifactor_auths:
     session_expired: Ha expirado tu sesión en la página de acceso.

diff --git a/config/locales/fr.yml b/config/locales/fr.yml
@@ -493,6 +493,7 @@ fr:
       success:
       failure_on_missing_email:
     update:
+      success:
       failure:
   multifactor_auths:
     session_expired:

diff --git a/config/locales/ja.yml b/config/locales/ja.yml
@@ -473,6 +473,7 @@ ja:
       success: 数分でEメールが届きます。メールにはパスワードを変更する手順が記載されています。
       failure_on_missing_email: Eメールは空にできません。
     update:
+      success:
       failure: パスワードを変更できませんでした。もう一度お試しください。
   multifactor_auths:
     session_expired: ログインページのセッションが期限切れになりました。

diff --git a/config/locales/nl.yml b/config/locales/nl.yml
@@ -478,6 +478,7 @@ nl:
       success:
       failure_on_missing_email:
     update:
+      success:
       failure:
   multifactor_auths:
     session_expired:

diff --git a/config/locales/pt-BR.yml b/config/locales/pt-BR.yml
@@ -490,6 +490,7 @@ pt-BR:
       success:
       failure_on_missing_email:
     update:
+      success:
       failure:
   multifactor_auths:
     session_expired:

diff --git a/config/locales/zh-CN.yml b/config/locales/zh-CN.yml
@@ -480,6 +480,7 @@ zh-CN:
       success:
       failure_on_missing_email:
     update:
+      success:
       failure:
   multifactor_auths:
     session_expired: 您的登录页面会话已过期。

diff --git a/config/locales/zh-TW.yml b/config/locales/zh-TW.yml
@@ -474,6 +474,7 @@ zh-TW:
       success:
       failure_on_missing_email:
     update:
+      success:
       failure:
   multifactor_auths:
     session_expired: 您的登入頁面工作階段已過期。

diff --git a/test/factories/user.rb b/test/factories/user.rb
@@ -13,6 +13,10 @@
     end
     mfa_hashed_recovery_codes { mfa_recovery_codes.map { |code| BCrypt::Password.create(code) } }
 
+    after :create do |user, evaluator|
+      user.confirm_email! if evaluator.email_confirmed != false && evaluator.unconfirmed_email.blank?
+    end
+
     trait :unconfirmed do
       email_confirmed { false }
       unconfirmed_email { "#{SecureRandom.hex(8)}#{email}" }