As a side effect of more secure tokens in Devise 3.1.0 I am unable to find a user anymore with standard confirmation email link.
Before I found use User.find_by_confirmation_token as value in url was equal to one in db. Now with encrypted url value this is not possible.
I added following method to my User model
original_token = confirmation_token
confirmation_token = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
if !confirmable.persisted? && Devise.allow_insecure_token_lookup
confirmable = find_or_initialize_with_error_by(:confirmation_token, original_token)
which is basically a copy of User.confirm_by_token without confirm! call.
Do you have any better solution in mind for this problem? I cannot really change my flow as users set their password during confirmation (email only signup) so confirming user before password is set would be unwise.
The CHANGELOG and the release notes linked in the CHANGELOG goes in detail how to upgrade Devise and keep the previous token lookup (temporarily). Or are you trying to achieve something else?
Yeah, I know about it, but I thought that for security reasons I shouldn't switch it.
So I am asking about a long term solution! :)
The long term solution should be to work with Devise current mechanism. :)
@josevalim you are not answering my question, but since I have a chance to ask, let me use it.
How would you implement email only sign up to avoid pitfalls?
Your question was not clear to me (and it still isn't). What do you mean by
email only sign up?
Founder and Lead Developer
Oh come on, there's even Devise wiki page on that! ;)
TL;DR allow user to create account without providing anything except for email and ask for details during confirmation.
I got it now, thanks!
Yeah, the approach that you initially mentioned is the best. We can make it
easier in the future, but for now, since we need to maintain both old and
new lookup, it is a bit trickier.
Founder and Lead Developer
Ok, so I figured it out, if anyone else has this problem maybe they come across my solution above.
Just wanted to note that the "/confirm" method in that tutorial uses the other confirmation_token (before digest) so you will need to modify it in #show to render the right confirmation token in the #show view.
I found this while googling a nearly similar issue, but the root cause turned out to be a lot simpler than any of the advice above. I re-generated all the devise views using the supplied generator rails g devise:views and voila problem resolved.
rails g devise:views
The issue in my particular case was I was still using old devise views but I had upgraded Devise to version 3.2.1 since I initially ran the Devise views generator. The older views from version 2.X are NOT compatible with Devise 3.X it appears.
@BigNerdRanchDan I think you don't understand what this issue was about as well as you didn't carefully read readme/upgrade notes for Devise.
It's in read me that the views are not compatible, however my issue was very specific and non-standard.