Merge pull request #4461 from jjuliano/patch-1

Confirmation link validity is wrong in different time zone
heartcombo · Mar 15, 2017 · a665aad · a665aad
2 parents 0c5d78e + a3d3177
commit a665aad
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@
   * Attempt to reset password without the password field in the request now results in a `:blank` validation error.
     Before this change, Devise would accept the reset password request and log the user in, without validating/changing
     the password. (by @victor-am)
+  * Confirmation links now expire based on UTC time, working properly when using different timezones. (by @jjuliano)
 * enhancements
   * Notify the original email when it is changed with a new `Devise.send_email_changed_notification` setting.
     When using `reconfirmable`, the notification will be sent right away instead of when the unconfirmed email is confirmed.

diff --git a/lib/devise/models/confirmable.rb b/lib/devise/models/confirmable.rb
@@ -225,7 +225,7 @@ def confirmation_period_valid?
         #   confirmation_period_expired?  # will always return false
         #
         def confirmation_period_expired?
-          self.class.confirm_within && self.confirmation_sent_at && (Time.now > self.confirmation_sent_at + self.class.confirm_within)
+          self.class.confirm_within && self.confirmation_sent_at && (Time.now.utc > self.confirmation_sent_at + self.class.confirm_within)
         end
 
         # Checks whether the record requires any confirmation.