Password reset not working

435 views
Skip to first unread message

Kris Luminar

unread,
Sep 17, 2015, 11:23:08 AM9/17/15
to Devise
I'm upgrading to the latest devise on Rails 3 in preparation to an upgrade to Rails 4 and I've hit a snag with the password resets not working. It doesn't seem that my passwords are getting stored in the User record. The message I'm getting in the flash message is "Reset password token is invalid" .

Ruby version: 2.2.3p173
Rails version: 3.2.22
Devise version: 3.5.2

After the call to self.resource = resource_class.reset_password_by_token(resource_params) in Devise::PasswordsController#update, the resource doesn't look right to me for the given params:
2.2.3 (#<Devise::PasswordsController:0x007fb364f29698>):0 > params
=> {
          "utf8" => "✓",
       "_method" => "put",
          "user" => {
         "reset_password_token" => "n2WQuBbvPh2zezUzANAv",
                     "password" => "abc_123",
        "password_confirmation" => "abc_123"
    },
        "commit" => "Change my password",
        "action" => "update",
    "controller" => "devise/passwords"
}
2.2.3 (#<Devise::PasswordsController:0x007fb364f29698>):0 > resource_params
=> {
     "reset_password_token" => "n2WQuBbvPh2zezUzANAv",
                 "password" => "abc_123",
    "password_confirmation" => "abc_123"
}
2.2.3 (#<Devise::PasswordsController:0x007fb364f29698>):0 > resource
=> #<User:0x007fb366974c78> {
                                :id => nil,
                             :email => nil,
                :confirmation_token => nil,
                      :confirmed_at => nil,
              :confirmation_sent_at => nil,
              :reset_password_token => "n2WQuBbvPh2zezUzANAv",
               :remember_created_at => nil,
                     :sign_in_count => nil,
                :current_sign_in_at => nil,
                   :last_sign_in_at => nil,
                :current_sign_in_ip => nil,
                   :last_sign_in_ip => nil,
                        :created_at => nil,
                        :updated_at => nil,
                          :username => nil,
                      :role_symbols => [],
                       :legacy_unid => nil,
                         :agency_id => nil,
    :preconfirmation_request_params => nil,
                   :view_preference => nil,
                        :first_name => nil,
                         :last_name => nil,
            :reset_password_sent_at => nil,
                 :active_contact_id => nil,
                :person_document_id => nil,
                 :group_document_id => nil,
              :on_power_of_attorney => false,
                :internal_extension => nil,
                       :cell_number => nil,
                            :active => true,
                :encrypted_password => nil,
                 :unconfirmed_email => nil
}
2.2.3 (#<Devise::PasswordsController:0x007fb364f29698>):0 > resource.errors
=> {
    :reset_password_token => [
        [0] "is invalid"
    ]
}

It seems weird to me that neither encrypted_password or id are set.

Here's the relevant code in my User class:

class User < ActiveRecord::Base

  # Setup accessible (or protected) attributes for your model
  attr_accessible :email, :password, :encrypted_password, :password_confirmation, :remember_me, :username,
    :first_name, :last_name, :role_symbols, :confirmation_token, :confirmed_at, :confirmation_sent_at,
    :reset_password_token, :remember_created_at, :sign_in_count,
    :internal_extension, :cell_number, :confirm_email, :current_password, :agency_id,
    :current_sign_in_at, :last_sign_in_at, :preconfirmation_request_params, :view_preference,
    :active, :authentication_token, :auth_token

  devise :domino_authenticatable, :confirmable, :rememberable, :trackable, :recoverable

  attr_accessor :password, :encrypted_password, :current_password, :reset_password_token
  attr_accessor :password_confirmation
  attr_accessor :confirm_email
end



My devise config file can be found here:
https://gist.github.com/kris-luminar/948ac3477ffebb777e91

I've confirmed that my reset password email template is up-to-date. (Step 2 in http://joanswork.com/devise-3-1-update/ ) .

My best guess is that my attr_accessor or attr_accessible setup is wrong but tinkering with those settings hasn't worked yet.

Kris Luminar

unread,
Sep 18, 2015, 11:18:47 AM9/18/15
to Devise
I figured this out with the help of one of my colleagues. The issue was attr_accessor :reset_password_token . This was overriding the methods with the same names (reset_password_token and reset_password_token=) inside of Devise.

Kris Luminar

unread,
Sep 21, 2015, 10:49:08 AM9/21/15
to plataforma...@googlegroups.com
Also, all of those attr_accessible options where wrong and represented a serious security issue. I deleted all of them.

--

---
You received this message because you are subscribed to a topic in the Google Groups "Devise" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/plataformatec-devise/Z1gA6AbUX34/unsubscribe.
To unsubscribe from this group and all its topics, send an email to plataformatec-de...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages