Feature: Add strong parameters to the PasswordsController

## Problem
The `Devise::PasswordsController` uses unsanitized [resource_params](https://github.com/heartcombo/devise/blob/main/app/controllers/devise_controller.rb#L221) during password reset, which could lead to security issues.


## Proposal
* Add a new `:reset_password` action to the [DEFAULT_PERMITTED_ATTRIBUTES](https://github.com/heartcombo/devise/blob/main/lib/devise/parameter_sanitizer.rb#L152)
```ruby
DEFAULT_PERMITTED_ATTRIBUTES = {
      sign_in: [:password, :remember_me],
      sign_up: [:password, :password_confirmation],
      account_update: [:password, :password_confirmation, :current_password]
      reset_password: [:reset_password_token, :password, :password_confirmation]
    }
```
* Use it in the `Devise::PasswordsController`.
```ruby 
    def resource_params
      devise_parameter_sanitizer.sanitize(:reset_password)
    end
```

This will ensure the parameters used in the `Devise::PasswordsController`are sanitized, maintaining consistency with other controllers like RegistrationController and SessionController.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Feature: Add strong parameters to the PasswordsController #5747

Problem

Proposal

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Feature: Add strong parameters to the PasswordsController #5747

Description

Problem

Proposal

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions