# Copyright (C) 2024 Manuel Bustillo

class PasswordsController < ApplicationController
  allow_unauthenticated_access
  before_action :set_user_by_token, only: :update

  def create
    if user = User.find_by(email_address: params[:email_address])
      PasswordsMailer.reset(user).deliver_later
    end

    render json: {}, status: :ok
  end

  def update
    if @user.update(params.permit(:password, :password_confirmation))
      render json: {}, status: :ok
    else
      render json: { errors: @user.errors.full_messages }, status: :unprocessable_entity
    end
  end

  private

  def set_user_by_token
    @user = User.find_by_password_reset_token!(params[:token])
  rescue ActiveSupport::MessageVerifier::InvalidSignature
    redirect_to new_password_path, alert: 'Password reset link is invalid or has expired.'
  end
end