Does this skill require external gems like Devise?

No, it utilizes the native password reset token features introduced in Rails 8, making your application lighter and easier to maintain.

How long are the reset tokens valid for by default?

Tokens are valid for 15 minutes by default, but this can be customized via the password_reset_token_in configuration in your initializers.

How does this skill prevent hackers from finding valid user emails?

The implementation follows the principle of not revealing user existence by showing the same success message regardless of whether the email exists in the database.

Is the token invalidated after a single use?

Yes, the flow is designed so that once the password is successfully updated, the token is effectively invalidated for further use.

Rails 8 Password Reset Flow

Name: Rails 8 Password Reset Flow
Author: rbarazi

byrbarazi

보안 및 테스팅

Implements secure, gem-free password recovery workflows using Rails 8's native token generation features.

소개

This skill provides a comprehensive pattern for implementing a secure 'forgot password' flow in Ruby on Rails 8 applications without relying on external gems. It leverages Rails 8's built-in signed token generation and has_secure_password to create time-limited, single-use recovery links. The implementation follows industry-standard security best practices, including protecting user privacy by avoiding user enumeration, enforcing cryptographically secure signatures, and providing integrated mailers and controllers for a production-ready authentication experience.

주요 기능

Native Rails 8 token generation with built-in has_secure_password support
Privacy-focused design that prevents user enumeration via unified flash messages
Automated 15-minute token expiration with customizable timeout settings
Complete boilerplate for controllers, mailers, and internationalized views
Security-hardened patterns including single-use tokens and signed signatures
0 GitHub stars

사용 사례

Adding a 'Forgot Password' feature to a new or existing Rails 8 application
Migrating from heavy authentication gems to a lightweight, native Rails implementation
Implementing secure, time-sensitive account recovery for production environments

소개

주요 기능

Native Rails 8 token generation with built-in has_secure_password support
Privacy-focused design that prevents user enumeration via unified flash messages
Automated 15-minute token expiration with customizable timeout settings
Complete boilerplate for controllers, mailers, and internationalized views
Security-hardened patterns including single-use tokens and signed signatures
0 GitHub stars

사용 사례

Adding a 'Forgot Password' feature to a new or existing Rails 8 application
Migrating from heavy authentication gems to a lightweight, native Rails implementation
Implementing secure, time-sensitive account recovery for production environments