class PasswordResetsController < ApplicationController
  before_action :require_no_authentication, only: [ :new, :create, :edit, :update ]
  before_action :set_user_by_token, only: [ :edit, :update ]

  def new
  end

  def create
    user = User.find_by(email: params[:email].downcase)

    if user
      user.generate_password_reset_token
      PasswordResetMailer.reset_password(user).deliver_later
    end

    # Always show success message to prevent email enumeration
    redirect_to login_path, notice: "If an account exists with that email, you will receive password reset instructions."
  end

  def edit
  end

  def update
    if @user.update(password_params)
      @user.update_columns(password_reset_token: nil, password_reset_sent_at: nil)
      sign_in(@user)
      redirect_to dashboard_path, notice: "Your password has been reset successfully."
    else
      render :edit, status: :unprocessable_entity
    end
  end

  private

  def set_user_by_token
    @user = User.find_by(password_reset_token: params[:id])

    unless @user && !@user.password_reset_expired?
      redirect_to new_password_reset_path, alert: "Password reset link is invalid or has expired."
    end
  end

  def password_params
    params.require(:user).permit(:password, :password_confirmation)
  end
end