Add sign_in_after_reset_password? check hook to passwords controller (#5826)

Extract a couple small duplicate checks into a method, enabling it as a hook that can be overridden if necessary. It's going to be particularly useful on a flow I'm working on / testing out, to avoid having to copy over the whole block of code from the controller to customize it. We have a similar hook on the registration controller for `sign_in_after_change_password?`, which was also moved to protected. While not much practical change, it hopefully shows better the intention that it's a method users can override if they need, similar to a few other methods in controllers. Also move `update_needs_confirmation?` down to private, as this one in particular I don't think we intended to allow overriding, as it has no practical behavior change other than the flash message.
2026-02-19 02:44:31 -05:00 · 2026-02-18 10:21:26 -03:00
parent 1befcb5882
commit 916f94ed4b
3 changed files with 20 additions and 13 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +1,8 @@
 ### Unreleased

 * enhancements
-  * Allow resource class scopes to override the global configuration for `sign_in_after_change_password` behaviour. [#5824](https://github.com/heartcombo/devise/pull/5824)
+  * Allow resource class scopes to override the global configuration for `sign_in_after_change_password` behaviour. [#5825](https://github.com/heartcombo/devise/pull/5825)
+  * Add `sign_in_after_reset_password?` check hook to passwords controller, to allow it to be customized by users. [#5826](https://github.com/heartcombo/devise/pull/5826)

 ### 5.0.1 - 2026-02-13

--- a/app/controllers/devise/passwords_controller.rb
+++ b/app/controllers/devise/passwords_controller.rb
@@ -36,7 +36,7 @@ class Devise::PasswordsController < DeviseController

    if resource.errors.empty?
      resource.unlock_access! if unlockable?(resource)
-      if resource_class.sign_in_after_reset_password
+      if sign_in_after_reset_password?
        flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
        set_flash_message!(:notice, flash_message)
        resource.after_database_authentication
@@ -53,7 +53,7 @@ class Devise::PasswordsController < DeviseController

  protected
    def after_resetting_password_path_for(resource)
-      resource_class.sign_in_after_reset_password ? after_sign_in_path_for(resource) : new_session_path(resource_name)
+      sign_in_after_reset_password? ? after_sign_in_path_for(resource) : new_session_path(resource_name)
    end

    # The path used after sending reset password instructions
@@ -69,6 +69,11 @@ class Devise::PasswordsController < DeviseController
      end
    end

+    # Check if the user should be signed in automatically after resetting the password.
+    def sign_in_after_reset_password?
+      resource_class.sign_in_after_reset_password
+    end
+
    # Check if proper Lockable module methods are present & unlock strategy
    # allows to unlock resource on password reset
    def unlockable?(resource)
--- a/app/controllers/devise/registrations_controller.rb
+++ b/app/controllers/devise/registrations_controller.rb
@@ -82,12 +82,6 @@ class Devise::RegistrationsController < DeviseController

  protected

-  def update_needs_confirmation?(resource, previous)
-    resource.respond_to?(:pending_reconfirmation?) &&
-      resource.pending_reconfirmation? &&
-      previous != resource.unconfirmed_email
-  end
-
  # By default we want to require a password checks on update.
  # You can overwrite this method in your own RegistrationsController.
  def update_resource(resource, params)
@@ -133,6 +127,13 @@ class Devise::RegistrationsController < DeviseController
    self.resource = send(:"current_#{resource_name}")
  end

+  # Check if the user should be signed in automatically after updating the password.
+  def sign_in_after_change_password?
+    return true if account_update_params[:password].blank?
+
+    resource_class.sign_in_after_change_password
+  end
+
  def sign_up_params
    devise_parameter_sanitizer.sanitize(:sign_up)
  end
@@ -160,9 +161,9 @@ class Devise::RegistrationsController < DeviseController
    set_flash_message :notice, flash_key
  end

-  def sign_in_after_change_password?
-    return true if account_update_params[:password].blank?
-
-    resource_class.sign_in_after_change_password
+  def update_needs_confirmation?(resource, previous)
+    resource.respond_to?(:pending_reconfirmation?) &&
+      resource.pending_reconfirmation? &&
+      previous != resource.unconfirmed_email
  end
 end