Fix lost password redirects

app/controllers/account_controller.rb

@@ -90,12 +90,12 @@ class AccountController < ApplicationController
   end
 
   # Enable user to choose a new password
-  def lost_password
-    return redirect_to(home_url) unless allow_lost_password_recovery?
+  def lost_password # rubocop:disable Metrics/AbcSize, Metrics/PerceivedComplexity
+    return redirect_to(home_url, status: :see_other) unless allow_lost_password_recovery?
 
     if params[:token]
       @token = ::Token::Recovery.find_by_plaintext_value(params[:token])
-      redirect_to(home_url) && return unless @token and !@token.expired?
+      redirect_to(home_url, status: :see_other) && return unless @token and !@token.expired?
 
       @user = @token.user
       if request.post?
@@ -104,7 +104,7 @@ class AccountController < ApplicationController
 
         if call.success?
           @token.destroy
-          redirect_to action: "login"
+          redirect_to action: "login", status: :see_other
           return
         end
       end
@@ -121,6 +121,7 @@ class AccountController < ApplicationController
       unless user
         # user not found in db
         Rails.logger.error "Lost password unknown email input: #{mail}"
+        redirect_to action: :lost_password, status: :see_other
         return
       end
 
@@ -128,6 +129,7 @@ class AccountController < ApplicationController
         # user uses an external authentication
         UserMailer.password_change_not_possible(user).deliver_later
         Rails.logger.warn "Password cannot be changed for user: #{mail}"
+        redirect_to action: :lost_password, status: :see_other
         return
       end
 
@@ -136,7 +138,7 @@ class AccountController < ApplicationController
       if token.save
         UserMailer.password_lost(token).deliver_later
         flash[:notice] = I18n.t(:notice_account_lost_email_sent)
-        redirect_to action: "login", back_url: home_url
+        redirect_to action: :lost_password, status: :see_other
         nil
       end
     end

spec/requests/rate_limiting/lost_password_rate_limiting_spec.rb

@@ -44,7 +44,7 @@ RSpec.describe "Rate limiting lost_password",
       post account_lost_password_path,
            params: { mail: "foo@example.com" },
            headers: { "Content-Type": "multipart/form-data" }
-      expect(response).to be_successful
+      expect(response).to be_redirect
     end
 
     post account_lost_password_path,
@@ -56,7 +56,7 @@ RSpec.describe "Rate limiting lost_password",
     post account_lost_password_path,
          params: { mail: "corrected@example.com" },
          headers: { "Content-Type": "multipart/form-data" }
-    expect(response).to be_successful
+    expect(response).to be_redirect
   end
 
   context "when disabled", with_config: { rate_limiting: { lost_password: false } } do
@@ -68,7 +68,7 @@ RSpec.describe "Rate limiting lost_password",
         post account_lost_password_path,
              params: { mail: "foo@example.com" },
              headers: { "Content-Type": "multipart/form-data" }
-        expect(response).to be_successful
+        expect(response).to be_redirect
       end
     end
   end