Devise: User can't change the password : reset password token is invalid
I' am trying use the password reset function of devise, i set up an account on mandrill for sending emails.
So when i go on /users/password/new and click on send instructions i receive an email with a link "Change my password" , here is the link ref :
http://mandrillapp.com/track/click.php?u=30099686&id=bc6ced2b3ac34c9f93f7cd95b1ea1106&url=http%3A%2F%2Flocalhost%3A3000%2Fusers%2Fpassword%2Fedit%3Freset_password_token%3Dd8c12b50e66069b5d8b22e9b054af3441ced62e6ab3648392960823373db1524&url_id=c142395039d4f32dd19fa3b6a6f18291971049fc
when i click on it, it sends me to /users/password/edit?reset_password_token=XXX.
But if i change the password the following flash message appears in the page: Reset password token invalid.
I am not overriding any devise controllers.
Anyone can help me?
apellizzn
All 23 comments
Why have you opened another issue without putting all the information asked in the previous one? Please include Devise and Rails versions. Are you using the default templates? From where you are getting the token from? Are you using markerb? Please don't open another issue, comment on this one.
josevalim
on 23 Oct 2013
I'd be glad to help track down the problem (which is probably in the code that passes the token to the mandrill template), but there's definitely not enough information here, and stackoverflow would be a more appropriate venue.
gregates
on 23 Oct 2013
Sorry, I am quite new to this kind of things.
Rails version :3.2.13
Devise version: 3.1.1
I am using this template : devise/passwords/edit.html.erb, here is the code
Change your password
<%= form_for(resource, :as => resource_name, :url => password_path(resource_name), :html => { :method => :put }) do |f| %>
<%= devise_error_messages! %>
<%= f.hidden_field :reset_password_token %>
<%= f.password_field :password, :autofocus => true %>
<%= f.password_field :password_confirmation %>
<% end %>
<%= render "devise/shared/links" %>
It's pratically the default view.
I actually dont know where I get the token from, can you give me some advices?
apellizzn
on 23 Oct 2013
Glad to!
josevalim
on 23 Oct 2013
It is ok to be new, just try to read carefully the instructions as we get dozens of reports per month and providing the maximum amount of information as you can makes tracking the issue down easier for me and for you!
More question: have you recently upgraded your devise version? Also, from where are you getting the token? From an e-mail that is sent to you?
josevalim
on 23 Oct 2013
Okay, i havent updated recently my version of devise, the "Change my password" link that i posted above is inside an email sent by devise, i think it is the devise controller that generates the token.
It seems like as if devise cant recognize its own token provided earlier. Right?
apellizzn
on 23 Oct 2013
If you have recently updated Devise, you should read the CHANGELOG with the changes from the Devise version you were up to the current version:
https://github.com/plataformatec/devise/blob/master/CHANGELOG.md
There are specific instructions on how to update your code.
josevalim
on 23 Oct 2013
If you're sending e-mails via mandrill, that's not the default devise behavior. So there must be some code/configuration in your app that handles that, right? My guess is that's the place to look for the bug.
For example, in an application I work on, we also override the devise mailer and instead make api calls to mandrill, sending it the reset password token to include in the mail template. So if you're doing something similar, you might be sending the wrong token.
gregates
on 23 Oct 2013
Thank you gragates for the answer, i am not ovverriding any devise mailer, i am just useing mandrill service setting up the smtp settings like this
ActionMailer::Base.smtp_settings = {
:address => "smtp.mandrillapp.com",
:port => 587,
:user_name => ENV["MANDRILL_USERNAME"],
:password => ENV["MANDRILL_SMTP_PASS"],
:authentication => 'login'
}
in devise.rb i have
config.mailer = "Devise::Mailer" so i let devise default mailer send the email.
Is the error maybe this?
apellizzn
on 23 Oct 2013
That looks fine to me. Are you using the devise default reset password instructions erb template? By default an override would be at app/views/devise/mailer/reset_password_instructions.html.erb
gregates
on 23 Oct 2013
I am overriding because i have generated devise views but i pratically didn't touch that template here is the code :
Hello <%= @resource.email %>!
Someone has requested a link to change your password. You can do this through the link below.
<%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %>
If you didn't request this, please ignore this email.
Your password won't change until you access the link above and create a new one.
apellizzn
on 24 Oct 2013
It should be @token instead of @resource.reset_password_token.
josevalim
on 24 Oct 2013
Yeah! that was the errror, thank you very much, the next time i will give all the information earlier
apellizzn
on 24 Oct 2013
How to expire password reset link after once used?
- request reset password
- getting email
- click link
- set new password
then
email link should be expired and should not leads to set password page.
I am using devise with rails 4.1.x.
Thanks advance help!
thiyagarajan
on 13 Jul 2014
@thiyagarajan the reset password token expires by default if the user has already clicked the link and has successfully changed his password.
manusajith
on 13 Jul 2014
Got similar problem too and I am using @token in the views. Did not override any controllers. Seems like encrypted token is the problem here... Is there any way to gracefully override the encryption in devise 3.2.4?
ikrogers
on 5 Aug 2014
I am having the same issue.
Using:
Rails 4.1.4
Ruby 2.1.2
Devise 3.2.4
The link of code used for the reset link is:
link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token)
Yet I still get the error "Reset password token is invalid"
The only other abnormality I have is that I have the previous password and I can not log in with it as I am told it is incorrect.
Any pointers would be helpful! Thanks
cderche
on 4 Sep 2014
@cderche @ikrogers if you're overwriting resource.find_first_by_auth_conditions, you need to account for the case where warden_conditions contains a reset_password_token instead of an email
maximusdominus
on 16 Sep 2014
I have the same problem as @cderche using the following:
Rails 4.2.0
ruby 2.1.5p273 (2014-11-13 revision 48405) [x86_64-linux]
activeadmin-1.0.0.pre1
Thanks ahead for any pointers!
luanau
on 14 Jun 2015
I am using,
Rails 3.2.13
Devise 3.1.0
also changed @resource.*_token to @token but still it says '... token is invalid'
mistrikushal
on 26 Aug 2016
I was able to resolve this through overriding authentication method of devise. below is my override function.
class User
...
def self.find_first_by_auth_conditions warden_conditions
conditions = warden_conditions.dup
if (email = conditions.delete(:email)).present?
where(email: email.downcase).first
elsif conditions.has_key?(:reset_password_token)
where(reset_password_token: conditions[:reset_password_token]).first
end
end
end
It worked then after.
mistrikushal
on 2 Sep 2016
I am using devise 4.2
Rails 4.2.8
Ruby 2.3.4
I don't know how to setup devise forgot password with my Gmail. Can anyone help me?
akhil-gautam
on 15 Jun 2017
Had the same issue and fixed it by removing 'devise-i18n-views' gem.
It looked like that this gem was changing something on devise that was causing this issue.
brunow
on 19 Jan 2018
Related issues
TheScarfix
路
23Comments
millisami
路
27Comments
gsar
路
23Comments
veetase
路
19Comments
veritme
路
21Comments
Most helpful comment
It should be
@tokeninstead of@resource.reset_password_token.