Opening reset password page with no token when there is no new_user_session_path raises error

[bruno-campos]

Environment

• Ruby 2.5.0
• Rails 5.2.0
• Devise 4.4.3

Current behavior

In an application where I do not have sessions path (use mostly as API and only left confirmations and passwords routes for email confirmation and password reset).

# routes.rb
devise_for :users,
               only: %i(confirmations passwords),
               controllers: { confirmations: "confirmations", passwords: "passwords" }

When visiting the reset password page without a token:

Visit: http://HOST/users/password/edit

It will try to redirect to new_user_session_path and raise error:

undefined method `new_user_session_path' for #<ActionDispatch::Routing::RoutesProxy:0x00007f9f1a1e7240>


actionpack (5.2.0) lib/action_dispatch/routing/routes_proxy.rb:50:in `method_missing'
devise (4.4.3) lib/devise/controllers/url_helpers.rb:53:in `block (4 levels) in generate_helpers!'
devise (4.4.3) app/controllers/devise/passwords_controller.rb:67:in `assert_reset_token_passed'

Expected behavior

I would expect an error saying that the token is invalid or not present.

[colinross]

The error you are getting comes from the base views provided by devise, which does make some assumptions about having the core routes defined (including the sessions controller).

You want to override devise/app/views/devise/shared/_links.html.erb to remove the link and then you should get a flash message about the password token not being present.

rails generate devise:views will populate (all) the devise views into your app's view templates, but you only need to keep the ones you wish to override.

[bruno-campos]

Thanks for the response colinross! That error comes from the assert_reset_token_passed method. https://github.com/plataformatec/devise/blob/master/app/controllers/devise/passwords_controller.rb#L67

I'm not using the shared/_links file. So what I did was to override the assert_reset_token_passed method in my custom passwords controller. It's not a big deal, but I think it would be nice to not try to redirect to new_session_path when the token is not present (or just show the same error as when the token is invalid).

[tegon]

Hey @bruno-campos, thanks for reporting this.

We don't have full support for API-only applications, so that's why this happens. You'll see that in some places we using a conditional to avoid the redirects, so if want to open a pull request for this it'd be welcome.
But still, that wouldn't return the errors in a JSON format that would be more appropriate for an API.

[colinross]

I've thought about adding 'api-only' support directly into devise (since I have used it like this a couple times and the overriding gets tedious, like likely many here).
On that note, what do we see as the expected behavior of an 'api' mode? More specifically

1. Can we make the assumption that 'api' mode would mean JSON responses? As opposed to specifically JSON-API format, or even XML/RPC etc. Should it be neutral and require a driver/strategy ala warden-style, or should it be basic json with the ability to override?
2. Are there pieces of the request cycle that would change, or just responses? I'm thinking about how an API, in general, would want to handle sessions might change [I have done so myself in the past with such applications]

I'm willing to put some time towards this, but I'd want at least a nod from the core-devs as to the direction they would prefer, even if it was just 'be smart about sniffing out if we are in an API or Standard controller, and be consistent about handling redirects/views

[tegon]

Closing to move the discussion to #4947