devise confirmation token is invalid

StackOverflow https://stackoverflow.com/questions/18830771

Question

I added a new migration to a table in my app and I migrate. Since it had errors, I dropped and migrated it. When I signed up for a user and tried to confirm it using email(devise,confirmable) it just won't confirm. It says invalid confirmation token. I have tried restarting the server. Dropping and migrating again, everything possible as far as I know. I am using Rails 3.2.9 and Ruby 1.9.3. Devise version is 3.1.0. Devise is also included in other gems I have added like rails-messaging and active-admin. 

Started POST "/users/confirmation" for 127.0.0.1 at 2013-09-16 19:42:47 +0530
Processing by Devise::ConfirmationsController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"4lMxdlsMqRCJB1doxt/hTCQhUPvAoGPiSbr9wQA/ZAQ=", "user"=>{"email"=>"pro.aravind@gmail.com"}, "commit"=>"Resend confirmation instructions"}

User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."unconfirmed_email" = 'pro.aravind@gmail.com' LIMIT 1

User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."email" = 'pro.aravind@gmail.com' LIMIT 1
  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."confirmation_token" = 'cc47150f51ec476aa40ea1d546e27c0dafc37ffc8bb82272a9f2377c863daed1' LIMIT 1
   (0.1ms)  begin transaction
   (0.3ms)  UPDATE "users" SET "confirmation_token"='cc47150f51ec476aa40ea1d546e27c0dafc37ffc8bb82272a9f2377c863daed1', "confirmation_sent_at" = '2013-09-16 14:12:47.174313', "updated_at" = '2013-09-16 14:12:47.175384' WHERE "users"."id" = 1
   (175.3ms)  commit transaction
  Rendered devise/mailer/confirmation_instructions.html.erb (0.6ms)

Sent mail to pro.aravind@gmail.com (5099ms)
Date: Mon, 16 Sep 2013 19:42:47 +0530
From: please-change-me-at-config-initializers-devise@example.com
Reply-To: please-change-me-at-config-initializers-devise@example.com
To: pro.aravind@gmail.com
Message-ID: <523711df6bb56_3a029657f88282b@aravind-VPCEB46FGB.mail>
Subject: Confirmation instructions
Mime-Version: 1.0
Content-Type: text/html;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

<p>Welcome pro.aravind@gmail.com!</p>

<p>You can confirm your account email through the link below:</p>

<p><a href="http://localhost:3000/users/confirmation?confirmation_token=cc47150f51ec476aa40ea1d546e27c0dafc37ffc8bb82272a9f2377c863daed1">Confirm my account</a></p>

Redirected to http://localhost:3000/users/sign_in
Completed 302 Found in 5387ms (ActiveRecord: 0.0ms)
Was it helpful?

Solution 2

This likely has to do with the security updates in Devise 3.1. The token that is sent to the user does not match the one that is in the database. You could turn off this feature by including this in your devise initializer:

config.allow_insecure_token_lookup = true

But it would be best to just delete the user and create a new one with the new token system.

See this blog post about the security changes in Devise 3.1: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/ You're looking for the section titled "Store digested tokens in the database"

OTHER TIPS

Going to add my experience here in case it can help someone else. The upgrade to Device 3.1 as BillyMFH said changed the way tokens are created. The blog post has a lot of information in it, and the solution to the problem in this answer is a temporary one.

If config.allow_insecure_token_lookup is set to false (and once this option is deprecated), the fix in my case was to update the email views Devise uses to send out links containing tokens.

Old Devise email views contain lines like this:

<p><%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %></p>

This uses the old token stored in the DB. Now you simply do this:

<p><%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @token) %></p>

Just replace the old token from resource with the new instance variable @token

The link in the blog post to this change is highlighted here: Devise email view token change

Just you need to make the following changes while you update devise or else

In following line in file app/views/devise/mailer/confirmation_instructions.html.erb

<p><%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %></p>

with new line as -

<p><%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @token) %></p>

This will definitely solve your problem, it just work for me.

Cheers!

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top