feat: Enable Devise.paranoid mode by default

tvdeyen · tvdeyen · commit 1af992aa1622 · 2026-02-02T15:31:51.000+01:00
This will prevent email enumeration. See https://github.com/heartcombo/devise/wiki/How-To:-Using-paranoid-mode,-avoid-user-enumeration-on-registerable Signed-off-by: Thomas von Deyen <thomas@vondeyen.com>
diff --git a/lib/generators/alchemy/devise/install/templates/devise.rb.tt b/lib/generators/alchemy/devise/install/templates/devise.rb.tt
@@ -90,7 +90,7 @@ Devise.setup do |config|
   # It will change confirmation, password recovery and other workflows
   # to behave the same regardless if the e-mail provided was right or wrong.
   # Does not affect registerable.
-  # config.paranoid = true
+  config.paranoid = true
 
   # By default Devise will store the user in session. You can skip storage for
   # particular strategies by setting this option.
diff --git a/spec/features/password_reset_feature_spec.rb b/spec/features/password_reset_feature_spec.rb
@@ -17,16 +17,39 @@
     click_button "Send reset instructions"
 
     expect(page)
-      .to have_content("You will receive an email with instructions on how to reset your password in a few minutes.")
+      .to have_content("If your email address exists in our database, you will receive a password recovery link")
   end
 
-  it "Displays error if email not found." do
-    visit admin_new_password_path
+  context "with paranoid mode disabled" do
+    before do
+      allow(Devise).to receive(:paranoid).and_return(false)
+    end
 
-    fill_in :user_email, with: "wrong@email.com"
-    click_button "Send reset instructions"
+    it "Displays error if email not found." do
+      visit admin_new_password_path
+
+      fill_in :user_email, with: "wrong@email.com"
+      click_button "Send reset instructions"
+
+      expect(page).to have_content("Email not found")
+    end
+  end
+
+  context "with paranoid mode enabled" do
+    before do
+      allow(Devise).to receive(:paranoid).and_return(true)
+    end
+
+    it "Displays notification about reset instructions.", :js do
+      visit admin_new_password_path
+
+      fill_in :user_email, with: "wrong@email.com"
+      click_button "Send reset instructions"
 
-    expect(page).to have_content("Email not found")
+      expect(page).to have_content(
+        "If your email address exists in our database, you will receive a password recovery link"
+      )
+    end
   end
 
   it "User can visit edit password form." do
