Password Reset Token Leaking to Google Analytics

Question

My reset password token is leaking to google analytics when user click on link in email to reset token. http://localhost:5000/users/password/edit?reset_password_token=g1xMHpjsDEE3MkMFUapo

After inspect I can see

https://www.google-analytics.com/collect?v=1&_v=j73&a=1182934228&t=event&ni=1&_s=1&dl=http%3A%2F%2Flocalhost%2Fusers%2Fpassword%2Fedit%3Freset_password_token%3Dg1xMHpjsDEE3MkMFUapo&ul=en-us&de=UTF-8&dt=ABC&sd=24-bit&sr=1366x768&vp=1286x247&je=0&ec=Scroll%20Depth&ea=%2Fusers%2Fpassword%2Fedit&el=25%25&_utma=111872281.1944961626.1546492539.1548676828.1548676828.1&_utmz=111872281.1548676828.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)&_utmht=1550758398105&_u=QACCAEAB~&jid=&gjid=&cid=1944961626.1546492539&tid=UA-25463847-1&_gid=1342755913.1550758313&gtm=2wg241WZ6LHH2&z=1855597746

Tryed following link but no use, Please help.

https://thoughtbot.com/blog/is-your-site-leaking-password-reset-links

https://github.com/thoughtbot/clearance/pull/707

https://github.com/thoughtbot/clearance/pull/706

my passwords_controller.rb

def create self.resource = resource_class.send_reset_password_instructions(resource_params) yield resource if block_given?

if successfully_sent?(resource)
  respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name))
else
  respond_with(resource)
end

end

def edit self.resource = resource_class.new resource.reset_password_token = params[:reset_password_token] end

Answer 1

You can just take away the Google Analytics script from that specific page.

I assume that you import the script in the application layout file, so you have two options:

• Create a separate layout file for the User model.
• Put a condition in the current layout file to check for a controller and not import google analytics if it's resetting the user's password.

If you do one of the two, it should stop "leaking".