Reset Password token in Invalid.

[alokswain]

Hi,

Env Info - Rails 4.0.2
Devise - 3.2.2
ORM- Mongoid

To reset password the reset password mailer which is sent with the reset password token has the same token that is there in the database.

In the following commit -143794d In recoverable.rb method - reset_password_by_token,
Before: (this directly uses the token passed in attributes
recoverable = find_or_initialize_with_error_by(:reset_password_token, attributes[:reset_password_token])

After:(reset password token is calculated using the original token from db and then recoverable always initializes an empty record with error Reset Password token is invalid as then token is not the one that is in the database)
reset_password_token = Devise.token_generator.digest(self, :reset_password_token, original_token)
recoverable = find_or_initialize_with_error_by(:reset_password_token, reset_password_token)

I changed the gem to use the token passed and not the one calculated and i do not face the error anymore. Am I missing something here ?

[josevalim]

No, you are not missing anything. This is correct and we have mentioned this change in the release notes. :)

[alokswain]

@josevalim - Can you give me a link to the release notes. I looked through the commit and wiki but could not figure out the change I will have to make to make the existing code run. Thanks.

[josevalim]

A more detailed report of the changes can be found here: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/

[alokswain]

Many thanks :)