From 7f715a51c10fc273bb7274a5d2b3d5e5c7b92136 Mon Sep 17 00:00:00 2001
From: Ben Lovell <benjamin.lovell@gmail.com>
Date: Mon, 26 Feb 2024 20:37:12 +0000
Subject: [PATCH 1/2] Don't needlessly redirect in dev

---
 app/controllers/catchall_controller.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/controllers/catchall_controller.rb b/app/controllers/catchall_controller.rb
index 9a40bddff..cb440df1d 100644
--- a/app/controllers/catchall_controller.rb
+++ b/app/controllers/catchall_controller.rb
@@ -1,5 +1,7 @@
 class CatchallController < ApplicationController
   def not_implemented
+    return head :not_found if Rails.env.development?
+
     interactor.call do |error|
       return redirect_to error.location, status: error.status if error.redirect?
     end

From efb493d23a128211a7b09ef3a80cd8cf1ae3620a Mon Sep 17 00:00:00 2001
From: Ben Lovell <benjamin.lovell@gmail.com>
Date: Mon, 26 Feb 2024 20:37:48 +0000
Subject: [PATCH 2/2] Force users to signin after password update

Force a signin after the user updates their password via their
settings/profile page to address potential session-fixation.
---
 config/initializers/devise.rb               |  3 +++
 features/settings.feature                   |  4 +++-
 features/step_definitions/settings_steps.rb | 11 +++++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 74f657d80..794c94c05 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -72,6 +72,9 @@
   # Does not affect registerable.
   # config.paranoid = true
 
+  # force accounts to signin again after changing password
+  config.sign_in_after_change_password = false
+
   # By default Devise will store the user in session. You can skip storage for
   # particular strategies by setting this option.
   # Notice that if you are skipping storage for all authentication paths, you
diff --git a/features/settings.feature b/features/settings.feature
index f660b5520..25d090b24 100644
--- a/features/settings.feature
+++ b/features/settings.feature
@@ -17,9 +17,11 @@ Feature: Settings
 
   Scenario: Updating password
     Given I am signed in
+    And   I sign in elsewhere
     And   I am on the settings page
     And   I update password to "new password"
-    Then  I should see a successful update notification
+    And   I will be logged out
+    And   I will be logged out elsewhere
 
   Scenario: Updating post code
     Given I am signed in
diff --git a/features/step_definitions/settings_steps.rb b/features/step_definitions/settings_steps.rb
index 256927e2f..895c2f671 100644
--- a/features/step_definitions/settings_steps.rb
+++ b/features/step_definitions/settings_steps.rb
@@ -34,3 +34,14 @@
 Then(/^I see my settings page$/) do
   expect(settings_page).to be_displayed
 end
+
+Then('I will be logged out') do
+  expect(sign_in_page).to be_displayed
+end
+
+Then('I will be logged out elsewhere') do
+  Capybara.using_session(:other_session) do
+    step 'I try to view the settings page'
+    step 'I will be logged out'
+  end
+end