You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When you call set_reset_password_token, it will always generate a new reset_password_token.
This can cause some issues:
An user may click twice at the submit button and will receive two emails. One of emails will have an invalid token ( the older one ). This can be "fixed" by disabling the submit button after click with Javascript.
There might be a delay in the email delivery and user will request another reset password email. Again one of the emails will have an old and invalid reset password token. I don't see a viable option to fix this with the current code.
Because of this we get a lot of support requests in our application regarding users that can't reset their password.
Would you be willing to accept a PR that changes set_reset_password_token method to only change reset_password_token value if it's not valid anymore?
If yes, should this be the default and only behavior or something that can be changed using a Devise option?
The text was updated successfully, but these errors were encountered:
I disagree because that may change the threat posture in unexpected ways. Generating a new token on request is the correct behavior. Possibly debouncing the request/submit button would be the better solution to the double tap.
I agree, all the token-based flows in fact should regenerate on a subsequent request. I think confirmation currently doesn't do that. Maybe a PR is needed
Hello @fernandomm, thanks for your report.
I agree with @rietta - generating a new token on request is the correct behavior.
I know it's not ideal, but if you need this behavior you can override it in your application's code.
When you call set_reset_password_token, it will always generate a new reset_password_token.
This can cause some issues:
Because of this we get a lot of support requests in our application regarding users that can't reset their password.
Would you be willing to accept a PR that changes set_reset_password_token method to only change reset_password_token value if it's not valid anymore?
If yes, should this be the default and only behavior or something that can be changed using a Devise option?
The text was updated successfully, but these errors were encountered: