Ask A Question

Notifications

You’re not receiving notifications from this thread.

Rails for Beginners Part 22: Password Reset Update Discussion

How do we invalidate a token once it's used? For example you can still use the same token even after you've already reset your password once. That would be nice to implement but not sure whether it's supported. Couldn't find anything about invalidating a token manually on their GitHub page.

Reply

How does the password reset form submit know to do a method of patch (instead of say post)? The form submission looks the same as with the registrations sign-up form, where it is a post.

Reply

In app/controllers/password_resets_controller.rb, the update method doesn't have a rescue (like edit does), but it still uses @user = User.find_signed!. This means that if the user gets to the password reset page and is authed successfully, but doesn't submit the page before the token expires, they will get an exception.

So one solution would be to have it look like this:

def update
@user = User.find_signed!(params[:token], purpose: "password_reset")
rescue ActiveSupport::MessageVerifier::InvalidSignature
redirect_to sign_in_path, alert: "Your token has expired. Please try again."
else
if @user.update(password_params)
redirect_to sign_in_path, notice: "Your password was reset successfully. Please sign in."
else
render :edit
end
end

Reply

Sorry -- the indentation didn't get saved in the above!

Reply

signed_id/find_signed is released with 6.1 version, What should be used in the older version i.e. < 6.1.
For the older version to_sgid() is working fine. How to decrypt token information again? Because find_signed is undefined in the older versions as mentioned.

Regards,

Reply

have you found a solution

Reply
Join the discussion
Create an account Log in

Want to stay up-to-date with Ruby on Rails?

Join 87,563+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.