allow to customize if the user is going to be signed in after recover

2024-11-24 08:42:17 +02:00 · 2017-03-31 23:09:03 -03:00 · 2017-03-31 23:09:03 -03:00 · 760c14b32c
commit 760c14b32c
parent 182aab547e
4 changed files with 11 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -267,7 +267,7 @@ provided in the e-mail and their account becomes confirmed, they will automatica
 **How it works:** The user goes to the password recovery page. They then enter their primary ID two times and press recover.
 An e-mail is sent to the user that includes a token that expires after some time. The user clicks the link
 in the e-mail and is prompted to enter a new password. Once the password they enter passes all policies
-their new password is stored, they are logged in and redirected to the RecoverOKPath.
+their new password is stored, they are redirected to the RecoverOkPath and logged in if AllowLoginAfterResetPassword is set to true.

 ## <a name="remember"></a> Remember Me (persistent login)
 **Requirements:**
--- a/config.go
+++ b/config.go
@ -26,6 +26,9 @@ type Config struct {
 	// authboss.StoreEmail, authboss.StoreUsername (StoreEmail is default)
 	PrimaryID string

+	// Allow the user to be automatically signed in after reset his password
+	AllowLoginAfterResetPassword bool
+
 	// Layout that all authboss views will be inserted into.
 	Layout *template.Template
 	// LayoutHTMLEmail is for emails going out in HTML form, authbosses e-mail templates
--- a/recover/recover.go
+++ b/recover/recover.go
@ -276,7 +276,9 @@ func (r *Recover) completeHandlerFunc(ctx *authboss.Context, w http.ResponseWrit
 			return err
 		}

-		ctx.SessionStorer.Put(authboss.SessionKey, primaryID)
+		if r.Authboss.AllowLoginAfterResetPassword {
+			ctx.SessionStorer.Put(authboss.SessionKey, primaryID)
+		}
 		response.Redirect(ctx, w, req, r.AuthLoginOKPath, "", "", true)
 	default:
 		w.WriteHeader(http.StatusMethodNotAllowed)
--- a/recover/recover_test.go
+++ b/recover/recover_test.go
@ -430,6 +430,8 @@ func TestRecover_completeHandlerFunc_POST(t *testing.T) {
 		return nil
 	})

+	rec.Authboss.AllowLoginAfterResetPassword = false
+
 	ctx, w, r, sessionStorer := testRequest(rec.Authboss, "POST", "token", testURLBase64Token, authboss.StorePassword, "abcd", "confirm_"+authboss.StorePassword, "abcd")

 	if err := rec.completeHandlerFunc(ctx, w, r); err != nil {
@ -455,8 +457,8 @@ func TestRecover_completeHandlerFunc_POST(t *testing.T) {
 		t.Error("Expected EventPasswordReset callback to have been fired")
 	}

-	if val, ok := sessionStorer.Get(authboss.SessionKey); !ok || val != "john" {
-		t.Error("Expected SessionKey to be:", "john")
+	if _, ok := sessionStorer.Get(authboss.SessionKey); ok {
+		t.Error("Should not have logged the user in since AllowInsecureLoginAfterConfirm is false.")
 	}

 	if w.Code != http.StatusFound {