Add allow_password_resets config option

Gemfile

@@ -14,5 +14,5 @@ gem 'pry', require: false
 gem 'rails-controller-testing'
 gem 'rspec-rails'
 gem 'shoulda-matchers'
-gem 'sqlite3'
+gem 'sqlite3', '~> 1.7'
 gem 'timecop'

Gemfile.lock

@@ -64,12 +64,11 @@ GEM
       ffi-compiler (~> 1.0)
     ast (2.4.2)
     bcrypt (3.1.20)
-    better_html (1.0.16)
-      actionview (>= 4.0)
-      activesupport (>= 4.0)
+    better_html (2.1.1)
+      actionview (>= 6.0)
+      activesupport (>= 6.0)
       ast (~> 2.0)
       erubi (~> 1.4)
-      html_tokenizer (~> 0.0.6)
       parser (>= 2.4)
       smart_properties
     builder (3.2.4)
@@ -83,7 +82,7 @@ GEM
       regexp_parser (>= 1.5, < 3.0)
       xpath (~> 3.2)
     coderay (1.1.3)
-    concurrent-ruby (1.1.10)
+    concurrent-ruby (1.2.3)
     crass (1.0.6)
     database_cleaner (2.0.1)
       database_cleaner-active_record (~> 2.0.0)
@@ -95,15 +94,14 @@ GEM
     diff-lcs (1.5.0)
     email_validator (2.2.4)
       activemodel
-    erb_lint (0.1.1)
+    erb_lint (0.5.0)
       activesupport
-      better_html (~> 1.0.7)
-      html_tokenizer
+      better_html (>= 2.0.1)
       parser (>= 2.7.1.4)
       rainbow
       rubocop
       smart_properties
-    erubi (1.10.0)
+    erubi (1.12.0)
     factory_bot (6.2.1)
       activesupport (>= 5.0.0)
     factory_bot_rails (6.2.0)
@@ -115,12 +113,13 @@ GEM
       rake
     globalid (1.2.1)
       activesupport (>= 6.1)
-    html_tokenizer (0.0.7)
-    i18n (1.10.0)
+    i18n (1.14.5)
       concurrent-ruby (~> 1.0)
-    loofah (2.18.0)
+    json (2.7.2)
+    language_server-protocol (3.17.0.3)
+    loofah (2.22.0)
       crass (~> 1.0.2)
-      nokogiri (>= 1.5.9)
+      nokogiri (>= 1.12.0)
     mail (2.8.1)
       mini_mime (>= 0.1.1)
       net-imap
@@ -129,8 +128,8 @@ GEM
     matrix (0.4.2)
     method_source (1.0.0)
     mini_mime (1.1.2)
-    mini_portile2 (2.8.0)
-    minitest (5.15.0)
+    mini_portile2 (2.8.6)
+    minitest (5.22.3)
     net-imap (0.4.10)
       date
       net-protocol
@@ -140,29 +139,32 @@ GEM
       timeout
     net-smtp (0.5.0)
       net-protocol
-    nokogiri (1.13.6)
-      mini_portile2 (~> 2.8.0)
+    nokogiri (1.16.4)
+      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    parallel (1.22.1)
-    parser (3.1.2.0)
+    parallel (1.24.0)
+    parser (3.3.1.0)
       ast (~> 2.4.1)
+      racc
     pry (0.14.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
     public_suffix (4.0.7)
-    racc (1.6.0)
+    racc (1.7.3)
     rack (2.2.3.1)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
       actionview (>= 5.0.1.rc1)
       activesupport (>= 5.0.1.rc1)
-    rails-dom-testing (2.0.3)
-      activesupport (>= 4.2.0)
+    rails-dom-testing (2.2.0)
+      activesupport (>= 5.0.0)
+      minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.3)
-      loofah (~> 2.3)
+    rails-html-sanitizer (1.6.0)
+      loofah (~> 2.21)
+      nokogiri (~> 1.14)
     railties (7.0.3)
       actionpack (= 7.0.3)
       activesupport (= 7.0.3)
@@ -172,8 +174,8 @@ GEM
       zeitwerk (~> 2.5)
     rainbow (3.1.1)
     rake (13.1.0)
-    regexp_parser (2.5.0)
-    rexml (3.2.5)
+    regexp_parser (2.9.0)
+    rexml (3.2.6)
     rspec-core (3.11.0)
       rspec-support (~> 3.11.0)
     rspec-expectations (3.11.0)
@@ -191,28 +193,31 @@ GEM
       rspec-mocks (~> 3.10)
       rspec-support (~> 3.10)
     rspec-support (3.11.0)
-    rubocop (1.30.1)
+    rubocop (1.63.4)
+      json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
-      parser (>= 3.1.0.0)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.18.0, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.18.0)
-      parser (>= 3.1.1.0)
-    ruby-progressbar (1.11.0)
+      unicode-display_width (>= 2.4.0, < 3.0)
+    rubocop-ast (1.31.3)
+      parser (>= 3.3.1.0)
+    ruby-progressbar (1.13.0)
     shoulda-matchers (5.1.0)
       activesupport (>= 5.2.0)
     smart_properties (1.17.0)
-    sqlite3 (1.4.2)
+    sqlite3 (1.7.3)
+      mini_portile2 (~> 2.8.0)
     thor (1.2.1)
     timecop (0.9.5)
     timeout (0.4.1)
-    tzinfo (2.0.4)
+    tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.1.0)
+    unicode-display_width (2.5.0)
     xpath (3.2.0)
       nokogiri (~> 1.8)
     zeitwerk (2.5.4)
@@ -234,7 +239,7 @@ DEPENDENCIES
   rails-controller-testing
   rspec-rails
   shoulda-matchers
-  sqlite3
+  sqlite3 (~> 1.7)
   timecop
 
 BUNDLED WITH

README.md

@@ -50,6 +50,7 @@ Override any of these defaults in `config/initializers/clearance.rb`:
 ```ruby
 Clearance.configure do |config|
   config.allow_sign_up = true
+  config.allow_password_reset = true
   config.cookie_domain = ".example.com"
   config.cookie_expiration = lambda { |cookies| 1.year.from_now.utc }
   config.cookie_name = "remember_token"

app/views/sessions/_form.html.erb

@@ -17,6 +17,8 @@
     <% if Clearance.configuration.allow_sign_up? %>
       <%= link_to t(".sign_up"), sign_up_path %>
     <% end %>
-    <%= link_to t(".forgot_password"), new_password_path %>
+    <% if Clearance.configuration.allow_password_reset? %>
+      <%= link_to t(".forgot_password"), new_password_path %>
+    <% end %>
   </div>
 <% end %>

config/routes.rb

@@ -11,9 +11,11 @@
     resources :users,
       controller: 'clearance/users',
       only: Clearance.configuration.user_actions do
-        resource :password,
-          controller: 'clearance/passwords',
-          only: [:edit, :update]
+        if Clearance.configuration.allow_password_reset?
+          resource :password,
+            controller: 'clearance/passwords',
+            only: [:edit, :update]
+        end
       end
 
     get '/sign_in' => 'clearance/sessions#new', as: 'sign_in'

gemfiles/rails_6.1.gemfile

@@ -14,7 +14,7 @@ gem "pry", require: false
 gem "rails-controller-testing"
 gem "rspec-rails"
 gem "shoulda-matchers"
-gem "sqlite3"
+gem "sqlite3", "~> 1.7"
 gem "timecop"
 gem "railties", "~> 6.1.0"
 gem "net-smtp", require: false

gemfiles/rails_7.0.gemfile

@@ -14,7 +14,7 @@ gem "pry", require: false
 gem "rails-controller-testing"
 gem "rspec-rails"
 gem "shoulda-matchers"
-gem "sqlite3"
+gem "sqlite3", "~> 1.7"
 gem "timecop"
 gem "railties", "~> 7.0.0"
 

gemfiles/rails_7.1.gemfile

@@ -14,7 +14,7 @@ gem "pry", require: false
 gem "rails-controller-testing"
 gem "rspec-rails"
 gem "shoulda-matchers"
-gem "sqlite3"
+gem "sqlite3", "~> 1.7"
 gem "timecop"
 gem "railties", "~> 7.1.0"
 

lib/clearance/configuration.rb

@@ -7,6 +7,13 @@ class Configuration
     # @return [Boolean]
     attr_writer :allow_sign_up
 
+    # Controls whether the password reset routes are enabled
+    # Defaults to `true`. Set to False to disable password reset routes
+    # The setting is ignored if routes are disabled.
+    # @param [Boolean] value
+    # @return [Boolean]
+    attr_writer :allow_password_reset
+
     # The domain to use for the clearance remember token cookie.
     # Defaults to `nil`, which causes the cookie domain to default to the
     # domain of the request. For more, see
@@ -145,6 +152,7 @@ class Configuration
 
     def initialize
       @allow_sign_up = true
+      @allow_password_reset = true
       @allowed_backdoor_environments = ["test", "ci", "development"]
       @cookie_domain = nil
       @cookie_expiration = ->(cookies) { 1.year.from_now.utc }
@@ -195,6 +203,12 @@ def allow_sign_up?
       @allow_sign_up
     end
 
+    # Are the password reset routes enabled?
+    # @return [Boolean]
+    def allow_password_reset?
+      @allow_password_reset
+    end
+
     # Specifies which controller actions are allowed for user resources.
     # This will be `[:create]` is `allow_sign_up` is true (the default), and
     # empty otherwise.

spec/configuration_spec.rb

@@ -179,6 +179,21 @@
     end
   end
 
+  describe "#allow_password_reset?" do
+    context "when allow_password_reset is configured to false" do
+      it "returns false" do
+        Clearance.configure { |config| config.allow_password_reset = false }
+        expect(Clearance.configuration.allow_password_reset?).to eq false
+      end
+    end
+
+    context "when allow_sign_up has not been configured" do
+      it "returns true" do
+        expect(Clearance.configuration.allow_password_reset?).to eq true
+      end
+    end
+  end  
+
   describe "#user_actions" do
     context "when allow_sign_up is configured to false" do
       it "returns empty array" do

spec/routing/clearance_routes_spec.rb

@@ -62,4 +62,36 @@
       expect(post: 'users').to be_routable
     end
   end
+
+  context 'password reset disabled' do
+    around do |example|
+      Clearance.configure { |config| config.allow_password_reset = false }
+      Rails.application.reload_routes!
+      example.run
+      Clearance.configuration = Clearance::Configuration.new
+      Rails.application.reload_routes!
+    end
+
+    it 'does not route password edit' do
+      user = create(:user)
+      expect(get: "users/#{user.id}/password/edit").not_to be_routable
+    end
+
+    it 'does not route to clearance/passwords#update' do
+      user = create(:user)
+      expect(patch: "/users/#{user.id}/password").not_to be_routable
+    end
+  end
+
+  context 'reset enabled' do
+    it 'does route password edit' do
+      user = create(:user)
+      expect(get: "users/#{user.id}/password/edit").to be_routable
+    end
+
+    it 'does route to clearance/passwords#update' do
+      user = create(:user)
+      expect(patch: "/users/#{user.id}/password").to be_routable
+    end
+  end
 end