Auth header is not being set in sign up when using confirmable with allowed unconfirmed access

[virginia-rodriguez]

On sign up, although unconfirmed access is configured, auth headers are not updated. So automatic sign in after sign up does not occurs (this works fine if confirmable module is not used).

I think it's because the following line: https://github.com/lynndylanhurley/devise_token_auth/blob/master/app/controllers/devise_token_auth/registrations_controller.rb#L51

unless @resource.confirmed?

should be replaced by:

!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?

just like it was replaced in colavitam@269e023

Is this correct?

[virginia-rodriguez]

Well, I think that what I said before is not completely right. First of all the condition should be the opposite and also in that case confirmation email will not be sent.

So, I think something like this should be the right way to go:

         unless @resource.confirmed?
            @resource.send_confirmation_instructions({
              client_config: params[:config_name],
              redirect_url: redirect_url
            })
          end


          if !@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?

            # email auth has been bypassed, authenticate user
            @client_id = SecureRandom.urlsafe_base64(nil, false)
            @token     = SecureRandom.urlsafe_base64(nil, false)

            @resource.tokens[@client_id] = {
              token: BCrypt::Password.create(@token),
              expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i
            }

            @resource.save!

            update_auth_header
          end

[sgonyea]

Thanks for reporting this, @virginia-rodriguez! I'm hitting this issue as well and am shutting off confirmable for the time being.

Would you like to create a PR for this? Your code appears to be correct.

[zachfeldman]

Seems like this is solved? See #89 . Otherwise feel free to reopen.