Add sign_in_after_reset_password? check hook to passwords controller (#5826)

Extract a couple small duplicate checks into a method, enabling it as a
hook that can be overridden if necessary. It's going to be particularly useful
on a flow I'm working on / testing out, to avoid having to copy over the whole
block of code from the controller to customize it.

We have a similar hook on the registration controller for
`sign_in_after_change_password?`, which was also moved to protected.

While not much practical change, it hopefully shows better the intention
that it's a method users can override if they need, similar to a few
other methods in controllers.

Also move `update_needs_confirmation?` down to private, as this one in
particular I don't think we intended to allow overriding, as it has no
practical behavior change other than the flash message.

Author: carlosantoniodasilva

CHANGELOG.md

@@ -1,7 +1,8 @@
 ### Unreleased
 
 * enhancements
-  * Allow resource class scopes to override the global configuration for `sign_in_after_change_password` behaviour. [#5824](https://github.com/heartcombo/devise/pull/5824)
+  * Allow resource class scopes to override the global configuration for `sign_in_after_change_password` behaviour. [#5825](https://github.com/heartcombo/devise/pull/5825)
+  * Add `sign_in_after_reset_password?` check hook to passwords controller, to allow it to be customized by users. [#5826](https://github.com/heartcombo/devise/pull/5826)
 
 ### 5.0.1 - 2026-02-13
 

app/controllers/devise/passwords_controller.rb

@@ -36,7 +36,7 @@ def update
 
     if resource.errors.empty?
       resource.unlock_access! if unlockable?(resource)
-      if resource_class.sign_in_after_reset_password
+      if sign_in_after_reset_password?
         flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
         set_flash_message!(:notice, flash_message)
         resource.after_database_authentication
@@ -53,7 +53,7 @@ def update
 
   protected
     def after_resetting_password_path_for(resource)
-      resource_class.sign_in_after_reset_password ? after_sign_in_path_for(resource) : new_session_path(resource_name)
+      sign_in_after_reset_password? ? after_sign_in_path_for(resource) : new_session_path(resource_name)
     end
 
     # The path used after sending reset password instructions
@@ -69,6 +69,11 @@ def assert_reset_token_passed
       end
     end
 
+    # Check if the user should be signed in automatically after resetting the password.
+    def sign_in_after_reset_password?
+      resource_class.sign_in_after_reset_password
+    end
+
     # Check if proper Lockable module methods are present & unlock strategy
     # allows to unlock resource on password reset
     def unlockable?(resource)

app/controllers/devise/registrations_controller.rb

@@ -82,12 +82,6 @@ def cancel
 
   protected
 
-  def update_needs_confirmation?(resource, previous)
-    resource.respond_to?(:pending_reconfirmation?) &&
-      resource.pending_reconfirmation? &&
-      previous != resource.unconfirmed_email
-  end
-
   # By default we want to require a password checks on update.
   # You can overwrite this method in your own RegistrationsController.
   def update_resource(resource, params)
@@ -133,6 +127,13 @@ def authenticate_scope!
     self.resource = send(:"current_#{resource_name}")
   end
 
+  # Check if the user should be signed in automatically after updating the password.
+  def sign_in_after_change_password?
+    return true if account_update_params[:password].blank?
+
+    resource_class.sign_in_after_change_password
+  end
+
   def sign_up_params
     devise_parameter_sanitizer.sanitize(:sign_up)
   end
@@ -160,9 +161,9 @@ def set_flash_message_for_update(resource, prev_unconfirmed_email)
     set_flash_message :notice, flash_key
   end
 
-  def sign_in_after_change_password?
-    return true if account_update_params[:password].blank?
-
-    resource_class.sign_in_after_change_password
+  def update_needs_confirmation?(resource, previous)
+    resource.respond_to?(:pending_reconfirmation?) &&
+      resource.pending_reconfirmation? &&
+      previous != resource.unconfirmed_email
   end
 end