class PasswordResetsController < ApplicationController
  skip_before_action :authenticate

<% if options.lockable? -%>
  before_action :require_locking, only: :create
<% end -%>
  before_action :set_<%= singular_table_name %>, only: :update

  def create
    if @<%= singular_table_name %> = <%= class_name %>.find_by(email: params[:email], verified: true)
      IdentityMailer.with(<%= singular_table_name %>: @<%= singular_table_name %>).password_reset_provision.deliver_later
    else
      render json: { error: "You can't reset your password until you verify your email" }, status: :not_found
    end
  end

  def update
    if @<%= singular_table_name %>.update(<%= "#{singular_table_name}_params" %>)
      render json: @<%= singular_table_name %>
    else
      render json: @<%= singular_table_name %>.errors, status: :unprocessable_entity
    end
  end

  private
    def set_<%= singular_table_name %>
      @<%= singular_table_name %> = <%= class_name %>.find_signed!(params[:token], purpose: :password_reset)
    rescue
      render json: { error: "That password reset link is invalid" }, status: :bad_request
    end

    def <%= "#{singular_table_name}_params" %>
      params.permit(:password, :password_confirmation)
    end
<% if options.lockable? %>
    def require_locking
      Locking.lock_on("password_reset_lock:#{request.remote_ip}", wait: 1.hour, attempts: 10) do
        render json: { error: "You've exceeded the maximum number of attempts" }, status: :too_many_requests
      end
    end
<% end -%>
end