consolidate logic regarding creation/setting of password reset tokens within...

consolidate logic regarding creation/setting of password reset tokens within functions of User model.  update the `(create-user)` function so that we send users directly to reset their password instead of starting on the forgot_password page.

resources/frontend_client/app/auth/auth.controllers.js

@@ -88,6 +88,7 @@ AuthControllers.controller('ForgotPassword', ['$scope', '$cookies', '$location',
         Session.forgot_password({
             'email': email
         }, function (result) {
+            console.log(result);
             $scope.sentNotification = true;
         }, function (error) {
             $scope.$broadcast("form:api-error", error);

src/metabase/api/session.clj

@@ -8,7 +8,7 @@
             [metabase.api.common :refer :all]
             [metabase.db :refer :all]
             [metabase.email.messages :as email]
-            (metabase.models [user :refer [User set-user-password]]
+            (metabase.models [user :refer [User set-user-password set-user-password-reset-token]]
                              [session :refer [Session]]
                              [setting :as setting])
             [metabase.util.password :as pass]))
@@ -57,12 +57,10 @@
   "Send a reset email when user has forgotten their password."
   [:as {:keys [server-name] {:keys [email]} :body, :as request}]
   {email [Required Email]}
-  (let [user-id            (sel :one :id User :email email)
-        reset-token        (str user-id "_" (java.util.UUID/randomUUID))
-        password-reset-url (str (@(ns-resolve 'metabase.core 'site-url) request) "/auth/reset_password/" reset-token)] ; avoid circular deps
-    ;; Don't leak whether the account doesn't exist, just pretend everything is ok
-    (when user-id
-      (upd User user-id, :reset_token reset-token, :reset_triggered (System/currentTimeMillis))
+  ;; Don't leak whether the account doesn't exist, just pretend everything is ok
+  (when-let [user-id (sel :one :id User :email email)]
+    (let [reset-token        (set-user-password-reset-token user-id)
+          password-reset-url (str (@(ns-resolve 'metabase.core 'site-url) request) "/auth/reset_password/" reset-token)]
       (email/send-password-reset-email email server-name password-reset-url)
       (log/info password-reset-url))))
 

src/metabase/models/user.clj

@@ -54,8 +54,14 @@
           [:is_active
            :is_staff])) ; but not `password` !
 
+
 ;; ## Related Functions
 
+(declare create-user
+         form-password-reset-url
+         set-user-password
+         set-user-password-reset-token)
+
 (defn create-user
   "Convenience function for creating a new `User` and sending out the welcome email."
   [first-name last-name email-address & {:keys [send-welcome reset-url]
@@ -68,8 +74,10 @@
                         :first_name first-name
                         :last_name last-name
                         :password (str (java.util.UUID/randomUUID)))]
-    (if send-welcome
-      (email/send-new-user-email first-name email-address reset-url))
+    (when send-welcome
+      (let [reset-token (set-user-password-reset-token (:id new-user))
+            join-url    (form-password-reset-url reset-token)]
+        (email/send-new-user-email new-user invitor join-url)))
     ;; return the newly created user
     new-user))
 
@@ -84,3 +92,18 @@
       :password password
       :reset_token nil
       :reset_triggered nil)))
+
+(defn set-user-password-reset-token
+  "Updates a given `User` and generates a password reset token for them to use.  Returns the url for password reset."
+  [user-id]
+  {:pre [(integer? user-id)]}
+  (let [reset-token (str user-id "_" (java.util.UUID/randomUUID))]
+    (upd User user-id, :reset_token reset-token, :reset_triggered (System/currentTimeMillis))
+    ;; return the token
+    reset-token))
+
+(defn form-password-reset-url
+  "Generate a properly formed password reset url given a password reset token."
+  [reset-token]
+  {:pre [(string? reset-token)]}
+  (str (setting/get :-site-url) "/auth/reset_password/" reset-token))