From 916f94ed4b4bb8e7881d5cf8c6535b7ccb368f7a Mon Sep 17 00:00:00 2001
From: Carlos Antonio da Silva <carlosantoniodasilva@gmail.com>
Date: Wed, 18 Feb 2026 10:21:26 -0300
Subject: [PATCH] Add `sign_in_after_reset_password?` check hook to passwords
 controller (#5826)

Extract a couple small duplicate checks into a method, enabling it as a
hook that can be overridden if necessary. It's going to be particularly useful
on a flow I'm working on / testing out, to avoid having to copy over the whole
block of code from the controller to customize it.

We have a similar hook on the registration controller for
`sign_in_after_change_password?`, which was also moved to protected.

While not much practical change, it hopefully shows better the intention
that it's a method users can override if they need, similar to a few
other methods in controllers.

Also move `update_needs_confirmation?` down to private, as this one in
particular I don't think we intended to allow overriding, as it has no
practical behavior change other than the flash message.
---
 CHANGELOG.md                                  |  3 ++-
 .../devise/passwords_controller.rb            |  9 ++++++--
 .../devise/registrations_controller.rb        | 21 ++++++++++---------
 3 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fbb7fe42..a84d5a21 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +1,8 @@
 ### Unreleased
 
 * enhancements
-  * Allow resource class scopes to override the global configuration for `sign_in_after_change_password` behaviour. [#5824](https://github.com/heartcombo/devise/pull/5824)
+  * Allow resource class scopes to override the global configuration for `sign_in_after_change_password` behaviour. [#5825](https://github.com/heartcombo/devise/pull/5825)
+  * Add `sign_in_after_reset_password?` check hook to passwords controller, to allow it to be customized by users. [#5826](https://github.com/heartcombo/devise/pull/5826)
 
 ### 5.0.1 - 2026-02-13
 
diff --git a/app/controllers/devise/passwords_controller.rb b/app/controllers/devise/passwords_controller.rb
index 3af1f864..68b8dc87 100644
--- a/app/controllers/devise/passwords_controller.rb
+++ b/app/controllers/devise/passwords_controller.rb
@@ -36,7 +36,7 @@ class Devise::PasswordsController < DeviseController
 
     if resource.errors.empty?
       resource.unlock_access! if unlockable?(resource)
-      if resource_class.sign_in_after_reset_password
+      if sign_in_after_reset_password?
         flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
         set_flash_message!(:notice, flash_message)
         resource.after_database_authentication
@@ -53,7 +53,7 @@ class Devise::PasswordsController < DeviseController
 
   protected
     def after_resetting_password_path_for(resource)
-      resource_class.sign_in_after_reset_password ? after_sign_in_path_for(resource) : new_session_path(resource_name)
+      sign_in_after_reset_password? ? after_sign_in_path_for(resource) : new_session_path(resource_name)
     end
 
     # The path used after sending reset password instructions
@@ -69,6 +69,11 @@ class Devise::PasswordsController < DeviseController
       end
     end
 
+    # Check if the user should be signed in automatically after resetting the password.
+    def sign_in_after_reset_password?
+      resource_class.sign_in_after_reset_password
+    end
+
     # Check if proper Lockable module methods are present & unlock strategy
     # allows to unlock resource on password reset
     def unlockable?(resource)
diff --git a/app/controllers/devise/registrations_controller.rb b/app/controllers/devise/registrations_controller.rb
index 33def66d..79e2b0e8 100644
--- a/app/controllers/devise/registrations_controller.rb
+++ b/app/controllers/devise/registrations_controller.rb
@@ -82,12 +82,6 @@ class Devise::RegistrationsController < DeviseController
 
   protected
 
-  def update_needs_confirmation?(resource, previous)
-    resource.respond_to?(:pending_reconfirmation?) &&
-      resource.pending_reconfirmation? &&
-      previous != resource.unconfirmed_email
-  end
-
   # By default we want to require a password checks on update.
   # You can overwrite this method in your own RegistrationsController.
   def update_resource(resource, params)
@@ -133,6 +127,13 @@ class Devise::RegistrationsController < DeviseController
     self.resource = send(:"current_#{resource_name}")
   end
 
+  # Check if the user should be signed in automatically after updating the password.
+  def sign_in_after_change_password?
+    return true if account_update_params[:password].blank?
+
+    resource_class.sign_in_after_change_password
+  end
+
   def sign_up_params
     devise_parameter_sanitizer.sanitize(:sign_up)
   end
@@ -160,9 +161,9 @@ class Devise::RegistrationsController < DeviseController
     set_flash_message :notice, flash_key
   end
 
-  def sign_in_after_change_password?
-    return true if account_update_params[:password].blank?
-
-    resource_class.sign_in_after_change_password
+  def update_needs_confirmation?(resource, previous)
+    resource.respond_to?(:pending_reconfirmation?) &&
+      resource.pending_reconfirmation? &&
+      previous != resource.unconfirmed_email
   end
 end