Disable auto-login after password reset

[tillprochaska]

Currently, users are automatically logged in after resetting a password. This is definitely a smooth UX in most cases. In our application, we’re extending Clearance with MFA support. Therefore, we’d like users to explicitly sign-in after resetting their password.

Currently, this requires overwriting the PasswordsController#update action. I’d prefer not having to do that for such a small change and was wondering if you think either a configuration option or extracting that behavior into a separate method that can easily be overwritten might make sense. I’d be willing to put in a PR! :)

https://github.com/thoughtbot/clearance/blob/main/app/controllers/clearance/passwords_controller.rb#L36

[tillprochaska]

This ticket from 2019 might be related: #878

[MottiniMauro]

Hi @tillprochaska ! First of all, thank you for raising this issue. I think your idea of adding a configuration option for this would be great, and having it default to its current behavior should help avoid any issues. If you are willing to create a PR for this change that you be appreciated, just let me know if I can provide any help.

[tillprochaska]

Hi @MottiniMauro, thanks a lot for your reply! As far as I can see, this should be a small change. Thanks for offering help -- might get back to this as I’ve never contributed to this gem before!

[tillprochaska]

Hi @MottiniMauro, just wanted to ask if you had a chance to look into the respective PR (#952). No pressure at all, just wanted to make sure this didn’t get lost in day-to-day business.

If there’s anything else I can do to get this PR merged, just let me know! I’ve also added a few comments to the PR where I wasn’t sure about code/documentation style.