Skip to content

BE: user password recovery#30

Open
walczyk123 wants to merge 6 commits into
masterfrom
BE-kw-add-password-recovery
Open

BE: user password recovery#30
walczyk123 wants to merge 6 commits into
masterfrom
BE-kw-add-password-recovery

Conversation

@walczyk123

@walczyk123 walczyk123 commented Mar 24, 2025

Copy link
Copy Markdown
Collaborator

Changes

  • add password controller which allows to create random reset password token and reset password via this token

github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 24, 2025
View reviewed changes
Comment thread backend/app/services/reset_password_service.rb
Comment thread backend/app/services/reset_password_service.rb
end

def reset_password(user)
if user.update(password: @password, password_confirmation: @password_confirmation, reset_password_token: nil, reset_password_sent_at: nil)

Check failure

Code scanning / CodeQL

Clear-text storage of sensitive information

This stores sensitive data returned by [a parameter password_confirmation](1) as clear text.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to ensure that the passwords are encrypted before being stored in the database. The best way to achieve this is by using a well-known library like bcrypt to hash the passwords. This will ensure that even if the database is compromised, the passwords are not stored in plain text and are thus protected.

  1. Install the bcrypt gem if it is not already installed.
  2. Modify the reset_password method to hash the passwords before storing them in the database.
Suggested changeset 1
backend/app/services/reset_password_service.rb

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/backend/app/services/reset_password_service.rb b/backend/app/services/reset_password_service.rb
--- a/backend/app/services/reset_password_service.rb
+++ b/backend/app/services/reset_password_service.rb
@@ -1 +1,3 @@
+require 'bcrypt'
+
 class ResetPasswordService < BaseService
@@ -32,3 +34,5 @@
   def reset_password(user)
-    if user.update(password: @password, password_confirmation: @password_confirmation, reset_password_token: nil, reset_password_sent_at: nil)
+    hashed_password = BCrypt::Password.create(@password)
+    hashed_password_confirmation = BCrypt::Password.create(@password_confirmation)
+    if user.update(password: hashed_password, password_confirmation: hashed_password_confirmation, reset_password_token: nil, reset_password_sent_at: nil)
       :success
EOF
@@ -1 +1,3 @@
require 'bcrypt'

class ResetPasswordService < BaseService
@@ -32,3 +34,5 @@
def reset_password(user)
if user.update(password: @password, password_confirmation: @password_confirmation, reset_password_token: nil, reset_password_sent_at: nil)
hashed_password = BCrypt::Password.create(@password)
hashed_password_confirmation = BCrypt::Password.create(@password_confirmation)
if user.update(password: hashed_password, password_confirmation: hashed_password_confirmation, reset_password_token: nil, reset_password_sent_at: nil)
:success
Copilot is powered by AI and may make mistakes. Always verify output.
Barcol
Barcol reviewed Mar 27, 2025
View reviewed changes
Comment thread backend/app/controllers/passwords_controller.rb Outdated
Barcol
Barcol reviewed Mar 27, 2025
View reviewed changes
Comment thread backend/app/mailers/password_mailer.rb Outdated
@walczyk123 walczyk123 requested a review from Barcol April 8, 2025 11:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DominikaBigaj DominikaBigaj Awaiting requested review from DominikaBigaj

@Barcol Barcol Awaiting requested review from Barcol

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@walczyk123 @Barcol @github-advanced-security @walczyk-fibcode