Bug in password reset token

[wout]

I've been testing our password reset flow and ran into a few 500 errors. At first, I thought it was on my side, but it turns out there is a bug caused by the generated tokens.

If a token contains a +, it is interpreted as whitespace. Here is an example:

GSSuuPIePHZIDu4fx/ugiIcVX3jQratcnG6V0MBgJ5M=--xm02SWDRKUUIzaf8P+fPub95NWo=

---------------------------------------------------------------^

At the error page, it shows the token without the +:

[jwoertink]

Oh interesting. We will need to check for a url_safe option for this just to be sure.

[wout]

Yeah, it's probably an easy fix in authentic.

[paulcsmith]

Ah nice. URL safe or probably encode with Base64 should likely fix it too

[wout]

@paulcsmith

So, Base64.strict_encode the token before usage and Base64.decode_string before parsing and comparison? I can create a PR for that...

[jwoertink]

I think we'd want urlsafe_encode which will replace + with -.

[wout]

Ok, that sounds more reasonable. A good one to know. 🤓️