Skip to content


Subversion checkout URL

You can clone with
Download ZIP


No longer able to find user by confirmation token in Devise 3.1.0 #2599

hajder opened this Issue · 11 comments

3 participants


As a side effect of more secure tokens in Devise 3.1.0 I am unable to find a user anymore with standard confirmation email link.

Before I found use User.find_by_confirmation_token as value in url was equal to one in db. Now with encrypted url value this is not possible.

I added following method to my User model

def self.find_by_confirmation_token(confirmation_token)
  original_token = confirmation_token
  confirmation_token = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)

  confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
  if !confirmable.persisted? && Devise.allow_insecure_token_lookup
    confirmable = find_or_initialize_with_error_by(:confirmation_token, original_token)


which is basically a copy of User.confirm_by_token without confirm! call.

Do you have any better solution in mind for this problem? I cannot really change my flow as users set their password during confirmation (email only signup) so confirming user before password is set would be unwise.


The CHANGELOG and the release notes linked in the CHANGELOG goes in detail how to upgrade Devise and keep the previous token lookup (temporarily). Or are you trying to achieve something else?


Yeah, I know about it, but I thought that for security reasons I shouldn't switch it.
So I am asking about a long term solution! :)


The long term solution should be to work with Devise current mechanism. :)


@josevalim you are not answering my question, but since I have a chance to ask, let me use it.

How would you implement email only sign up to avoid pitfalls?


Oh come on, there's even Devise wiki page on that! ;)

TL;DR allow user to create account without providing anything except for email and ask for details during confirmation.


Ok, so I figured it out, if anyone else has this problem maybe they come across my solution above.

@hajder hajder closed this

Just wanted to note that the "/confirm" method in that tutorial uses the other confirmation_token (before digest) so you will need to modify it in #show to render the right confirmation token in the #show view.


I found this while googling a nearly similar issue, but the root cause turned out to be a lot simpler than any of the advice above. I re-generated all the devise views using the supplied generator rails g devise:views and voila problem resolved.

The issue in my particular case was I was still using old devise views but I had upgraded Devise to version 3.2.1 since I initially ran the Devise views generator. The older views from version 2.X are NOT compatible with Devise 3.X it appears.


@BigNerdRanchDan I think you don't understand what this issue was about as well as you didn't carefully read readme/upgrade notes for Devise.

It's in read me that the views are not compatible, however my issue was very specific and non-standard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.