Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

No longer able to find user by confirmation token in Devise 3.1.0 #2599

Closed
hajder opened this Issue · 11 comments

3 participants

@hajder

As a side effect of more secure tokens in Devise 3.1.0 I am unable to find a user anymore with standard confirmation email link.

Before I found use User.find_by_confirmation_token as value in url was equal to one in db. Now with encrypted url value this is not possible.

I added following method to my User model

def self.find_by_confirmation_token(confirmation_token)
  original_token = confirmation_token
  confirmation_token = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)

  confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
  if !confirmable.persisted? && Devise.allow_insecure_token_lookup
    confirmable = find_or_initialize_with_error_by(:confirmation_token, original_token)
  end

  confirmable
end

which is basically a copy of User.confirm_by_token without confirm! call.

Do you have any better solution in mind for this problem? I cannot really change my flow as users set their password during confirmation (email only signup) so confirming user before password is set would be unwise.

@josevalim
Owner

The CHANGELOG and the release notes linked in the CHANGELOG goes in detail how to upgrade Devise and keep the previous token lookup (temporarily). Or are you trying to achieve something else?

@hajder

Yeah, I know about it, but I thought that for security reasons I shouldn't switch it.
So I am asking about a long term solution! :)

@josevalim
Owner

The long term solution should be to work with Devise current mechanism. :)

@hajder

@josevalim you are not answering my question, but since I have a chance to ask, let me use it.

How would you implement email only sign up to avoid pitfalls?

@josevalim
Owner
@hajder

Oh come on, there's even Devise wiki page on that! ;)

https://github.com/plataformatec/devise/wiki/How-To:-Email-only-sign-up

TL;DR allow user to create account without providing anything except for email and ask for details during confirmation.

@josevalim
Owner
@hajder

Ok, so I figured it out, if anyone else has this problem maybe they come across my solution above.

@hajder hajder closed this
@deloschang

Just wanted to note that the "/confirm" method in that tutorial uses the other confirmation_token (before digest) so you will need to modify it in #show to render the right confirmation token in the #show view.

@ghost

I found this while googling a nearly similar issue, but the root cause turned out to be a lot simpler than any of the advice above. I re-generated all the devise views using the supplied generator rails g devise:views and voila problem resolved.

The issue in my particular case was I was still using old devise views but I had upgraded Devise to version 3.2.1 since I initially ran the Devise views generator. The older views from version 2.X are NOT compatible with Devise 3.X it appears.

@hajder

@BigNerdRanchDan I think you don't understand what this issue was about as well as you didn't carefully read readme/upgrade notes for Devise.

It's in read me that the views are not compatible, however my issue was very specific and non-standard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.