Explain reset token expiration in emails

Tell new users when their password reset token expires and provide a
link to get a new one.

CHANGELOG

@@ -32,6 +32,7 @@ v 7.11.0 (unreleased)
   - Show Atom feed buttons everywhere where applicable.
   - Add project activity atom feed.
   - Don't crash when an MR from a fork has a cross-reference comment from the target project on one of its commits.
+  - Explain how to get a new password reset token in welcome emails
   - Include commit comments in MR from a forked project.
   - Fix adding new group members from admin area
   - Group milestones by title in the dashboard and all other issue views.

app/helpers/emails_helper.rb

@@ -35,4 +35,23 @@ module EmailsHelper
     lexer = Rugments::Lexers::Diff.new
     raw formatter.format(lexer.lex(diffcontent))
   end
+
+  def password_reset_token_valid_time
+    valid_hours = Devise.reset_password_within / 60 / 60
+    if valid_hours >= 24
+      unit = 'day'
+      valid_length = (valid_hours / 24).floor
+    else
+      unit = 'hour'
+      valid_length = valid_hours.floor
+    end
+
+    pluralize(valid_length, unit)
+  end
+
+  def reset_token_expire_message
+    link_tag = link_to('request a new one', new_user_password_url)
+    msg = "This link is valid for #{password_reset_token_valid_time}.  "
+    msg << "After it expires, you can #{link_tag}."
+  end
 end

app/views/notify/new_user_email.html.haml

@@ -12,3 +12,5 @@
 - if @user.created_by_id
   %p
     = link_to "Click here to set your password", edit_password_url(@user, :reset_password_token => @token)
+  %p
+    = reset_token_expire_message

app/views/notify/new_user_email.text.erb

@@ -5,4 +5,6 @@ The Administrator created an account for you. Now you are a member of the compan
 login.................. <%= @user.email %>
 <% if @user.created_by_id %>
   <%= link_to "Click here to set your password", edit_password_url(@user, :reset_password_token => @token) %>
+
+  <%= reset_token_expire_message %>
 <% end %>

spec/helpers/emails_helper_spec.rb

@@ -0,0 +1,46 @@
+require 'spec_helper'
+
+describe EmailsHelper do
+  describe 'password_reset_token_valid_time' do
+    def validate_time_string(time_limit, expected_string)
+      Devise.reset_password_within = time_limit
+      expect(password_reset_token_valid_time).to eq(expected_string)
+    end
+
+    context 'when time limit is less than 2 hours' do
+      it 'should display the time in hours using a singular unit' do
+        validate_time_string(1.hour, '1 hour')
+      end
+    end
+
+    context 'when time limit is 2 or more hours' do
+      it 'should display the time in hours using a plural unit' do
+        validate_time_string(2.hours, '2 hours')
+      end
+    end
+
+    context 'when time limit contains fractions of an hour' do
+      it 'should round down to the nearest hour' do
+        validate_time_string(96.minutes, '1 hour')
+      end
+    end
+
+    context 'when time limit is 24 or more hours' do
+      it 'should display the time in days using a singular unit' do
+        validate_time_string(24.hours, '1 day')
+      end
+    end
+
+    context 'when time limit is 2 or more days' do
+      it 'should display the time in days using a plural unit' do
+        validate_time_string(2.days, '2 days')
+      end
+    end
+
+    context 'when time limit contains fractions of a day' do
+      it 'should round down to the nearest day' do
+        validate_time_string(57.hours, '2 days')
+      end
+    end
+  end
+end

spec/mailers/notify_spec.rb

@@ -91,6 +91,11 @@ describe Notify do
     it 'includes a link to the site' do
       is_expected.to have_body_text /#{example_site_path}/
     end
+
+    it 'explains the reset link expiration' do
+      is_expected.to have_body_text(/This link is valid for \d+ (hours?|days?)/)
+      is_expected.to have_body_text(new_user_password_url)
+    end
   end