Allow overriding the source of the password_reset_token

[artfuldodger]

Changes no behavior by default, but this allows for pulling the token out of the session for example.

The motivation behind this is to stop leaking the token to third parties when tracking JavaScript is present on the page (e.g. Google Analytics).

We're overriding edit to set the token in the session and then redirect, taking it out of the URL, and this change would enable us to be slightly less coupled to Devise's internals.

[crespire]

+1 on this, I had to do this today, and was one of the strategies I saw in https://thoughtbot.com/blog/is-your-site-leaking-password-reset-links

[Polaris253]

what is the point of setting a password if someone without the password can overide a password?

[artfuldodger]

@Polaris253 hi! So you know when you forget your password, and you submit a request to reset your password? It sends you an email containing a link with a password reset token in the url. This PR just makes it easy to override where that token is pulled from, as urls are often logged to places you may not want your tokens stored.

[gregmolnar]

These tokens should be short lived and terminated after use anyways, so there isn't much of a risk of them ending up in the logs(you can also filter the param from logging). I might misunderstand something, but if you have the token in the session and the link in the email doesn't contain it, then it defeats the purpose of it, doesn't it? And a user can just ask for a password reset, then without having access to the email, they can just go to the edit page and the token would be verified from the session, wouldn't it?