Password reset tokens and password updates

app/controllers/api/password_resets_controller.rb

@@ -3,11 +3,14 @@ module Api
     skip_before_action :authenticate_user!, only: [:create, :update]
 
     def create
-      mutate PasswordResets::Create.run({})
+      mutate PasswordResets::Create.run(email: params[:email])
     end
 
     def update
-      mutate PasswordResets::Update.run({})
+      mutate PasswordResets::Update.run(
+        password:              params[:password],
+        password_confirmation: params[:password_confirmation],
+        token:                 params[:id])
     end
   end
 end

app/mailers/user_mailer.rb

@@ -3,4 +3,10 @@ class UserMailer < ApplicationMailer
       @user = user
       mail(to: @user.email, subject: 'Welcome to The FarmBot Web App!')
     end
+
+    def password_reset(user, raw_token)
+      @user  = user
+      @token = raw_token
+      mail(to: @user.email, subject: 'FarmBot Password Reset Instructions')
+    end
 end

app/mutations/password_resets/create.rb

@@ -1,12 +1,35 @@
 module PasswordResets
   class Create < Mutations::Command
     required do
+      string :email
     end
 
-    optional do
+    def validate
+      email_not_found! unless user 
     end
 
     def execute
+      send_email
+      # Under no circumstance should you return the token.
+      return {status: "Check your email!"}
+    end
+
+private
+
+    def send_email
+      UserMailer.password_reset(user, token).deliver_later
+    end
+
+    def token
+      @token ||= PasswordResetToken.issue_to(user).encoded
+    end
+
+    def email_not_found!
+      add_error :email, :not_found, "Email not found"
+    end
+
+    def user
+      @user ||= User.find_by(email: email)
     end
   end
 end

app/mutations/password_resets/update.rb

@@ -1,12 +1,42 @@
 module PasswordResets
   class Update < Mutations::Command
     required do
+      string :password
+      string :password_confirmation
+      string :token
     end
 
-    optional do
+    def validate
+      valid_password?
     end
 
     def execute
+      user.update_attributes!(password: password,
+                              password_confirmation: password_confirmation)
+      Auth::CreateToken.run!(email:    user.email,
+                             password: password)
+    end
+
+private
+
+    def user
+      @user = User.find_by!(email: email)
+    end
+
+    def email
+      @email ||= reset_token.unencoded["sub"]
+    end
+
+    def valid_password?
+      length_ok = (password.length > 7)
+      pw_match  = password == password_confirmation
+      add_error :password,
+                :invalid,
+                "too short or does not match" unless (length_ok && pw_match)
+    end
+
+    def reset_token
+      @reset_token ||= PasswordResetToken.decode!(token)
     end
   end
 end

app/views/layouts/mailer.html.erb

@@ -1 +1,9 @@
-<%= yield %>
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta content='text/html; charset=UTF-8' http-equiv='Content-Type' />
+  </head>
+  <body>
+    <%= yield %>
+  </body>
+</html>

app/views/user_mailer/welcome_email.html.erb

@@ -1,13 +1,5 @@
-<!DOCTYPE html>
-<html>
-  <head>
-    <meta content='text/html; charset=UTF-8' http-equiv='Content-Type' />
-  </head>
-  <body>
-    <h1>Welcome to FarmBot, <%= @user.name %></h1>
-    <p>
-      You may log in <a href="http:<%= $API_URL %>">here</a>.<br>
-    </p>
-    <p>Thanks for joining and have a great day!</p>
-  </body>
-</html>
+<h1>Welcome to FarmBot, <%= @user.name %></h1>
+<p>
+  You may log in <a href="http:<%= $API_URL %>">here</a>.<br>
+</p>
+<p>Thanks for joining and have a great day!</p>