Ensure users can’t be spammed with password resets

app/controllers/users_controller.rb

@@ -32,7 +32,7 @@ class UsersController < ApplicationController
   end
 
   def update
-    if @user.update(existing_user_params)
+    if existing_user_params.present? && @user.update(existing_user_params)
       redirect_to @user, notice: t(".success")
     else
       flash.now[:alert] = t(".error")
@@ -59,6 +59,7 @@ class UsersController < ApplicationController
         :last_name,
         :profile,
         :avatar,
+        :delete_avatar,
       )
     end
 

app/mailers/user_mailer.rb

@@ -20,6 +20,9 @@ class UserMailer < ApplicationMailer
     @user = params[:user]
     @token = params[:token]
 
+    return if @user.password_reset_last_sent_at&.after?(10.minutes.ago)
+
+    @user.update(password_reset_last_sent_at: Time.zone.now)
     mail(to: @user.email, subject: t(".password_reset.subject"))
   end
 end

app/models/concerns/deletable_attachments.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module DeletableAttachments
+  extend ActiveSupport::Concern
+
+  included do
+    before_save :delete_attachments
+
+    def delete_attachments
+      attachment_reflections.each do |reflection, _|
+        if send("delete_#{reflection}")
+          send(reflection).purge
+        end
+      end
+    end
+  end
+
+  class_methods do
+    def deletable_attachments(*attachments)
+      attachments.each do |attachment|
+        attribute "delete_#{attachment}", :boolean, default: false
+      end
+    end
+  end
+end

app/models/user.rb

@@ -1,6 +1,9 @@
 # frozen_string_literal: true
 
 class User < ApplicationRecord
+  include DeletableAttachments
+  deletable_attachments :avatar
+
   has_and_belongs_to_many :site_roles
   has_many :owned_tables, foreign_key: :owner_id, class_name: "Table"
   has_many :players, dependent: :destroy

app/views/users/_form.html.erb

@@ -35,6 +35,9 @@
     <hr>
 
     <% if user.persisted? %>
+      <%= f.label :delete_avatar %>
+      <%= f.check_box :delete_avatar %>
+
       <%= f.label :avatar %>
       <%= f.file_field :avatar %>
       <%= display_form_errors(user, :avatar) %>

db/migrate/20240605132327_add_password_reset_last_sent_at_to_user.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddPasswordResetLastSentAtToUser < ActiveRecord::Migration[7.1]
+  def change
+    add_column :users, :password_reset_last_sent_at, :datetime
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.1].define(version: 2024_05_30_073852) do
+ActiveRecord::Schema[7.1].define(version: 2024_06_05_132327) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -221,6 +221,7 @@ ActiveRecord::Schema[7.1].define(version: 2024_05_30_073852) do
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
     t.boolean "verified", default: false, null: false
+    t.datetime "password_reset_last_sent_at"
     t.index ["email"], name: "index_users_on_email", unique: true
     t.index ["username"], name: "index_users_on_username", unique: true
     t.index ["verified"], name: "index_users_on_verified"

test/controllers/users_controller_test.rb

@@ -52,6 +52,15 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     assert_redirected_to user_path(users(:trevor))
   end
 
+  test "can delete avatar" do
+    user = users(:trevor)
+    assert user.avatar.attached?
+
+    sign_in users(:trevor)
+    patch(user_url(user), params: { user: { delete_avatar: "1" } })
+    assert_not user.reload.avatar.attached?
+  end
+
   private
 
     def user_params

test/fixtures/active_storage/attachments.yml

@@ -0,0 +1,4 @@
+trevor_avatar:
+  name: avatar
+  record: trevor (User)
+  blob: trevor_avatar_blob

test/fixtures/active_storage/blobs.yml

@@ -0,0 +1 @@
+trevor_avatar_blob: <%= ActiveStorage::FixtureSet.blob(filename: "trevor.png", service_name: "test") %>

test/mailers/user_mailer_test.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class UserMailerTest < ActionMailer::TestCase
+  test "password resets can’t be resent within 10 minutes" do
+    user = users(:trevor)
+    assert_emails(+1) do
+      UserMailer.with(user: user, token: user.generate_token_for(:password_reset)).password_reset.deliver_now
+    end
+    assert_emails(0) do
+      UserMailer.with(user: user, token: user.generate_token_for(:password_reset)).password_reset.deliver_now
+    end
+    travel 11.minutes
+    assert_emails(+1) do
+      UserMailer.with(user: user, token: user.generate_token_for(:password_reset)).password_reset.deliver_now
+    end
+  end
+end

test/models/user_test.rb

@@ -55,4 +55,15 @@ class UserTest < ActiveSupport::TestCase
     user.update(password: "new_password")
     assert_nil User.find_by_token_for(:password_reset, token)
   end
+
+  test "avatar is automatically deleted when flag set" do
+    user = users(:trevor)
+    assert user.avatar.attached?
+    user.first_name = "Newname"
+    user.save
+    assert user.avatar.attached?
+    user.delete_avatar = true
+    user.save
+    assert_not user.avatar.attached?
+  end
 end

todo.md

@@ -1,6 +1,5 @@
-- avatars
+- ensure password reset emails can't send too often
-  - delete avatar
+- default avatars
-  - default avatars
 - shared/private notes
 - Add characters to users/tables
 - Character sheets/prototypes