Devise: Reset password token is invalid

Hrm, can you post the logs of the web request? Maybe the information is not being sent as expected?

Sure:

Started PUT "/users/password" for x.x.x.x at 2014-02-17 09:47:49 -0500
Processing by Devise::PasswordsController#update as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"5jvqQjPZ6PDirMrQyL5Xl9k82SDf3ZVQxEnRqmfiO8o=", "user"=>{"reset_password_token"=>"[FILTERED]", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"}, "commit"=>"Change my password"}
User Load (6.6ms) SELECT "users".* FROM "users" WHERE "users"."reset_password_token" = '668f9f47b286a680a27ca836866f4dc95a780f846c860f752284ee0f670e916f' ORDER BY users.first ASC LIMIT 1
Rendered devise/shared/_links.erb (0.4ms)
Rendered devise/passwords/edit.html.erb within layouts/sessions (8.5ms)
Completed 200 OK in 150ms (Views: 61.2ms | ActiveRecord: 6.6ms)

Yeah, with the tokens filtered, it doesn't really help. :P But you can see the token in the database query, is that the token you expected?

Actually, the token being generated and stored in the DB differs than the token in the email.

For instance, I just attempted again and the token generated and stored by Devise is:

c79be8a0bf584bff6cade527f664e9ad1ade5808e9277520264d7bd2901f2718

The token in the email notification is:

/users/password/edit?reset_password_token=Fa_ByHWUk9r-ixHhxkfx"

Relevant line from the mailer template:

<%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @token) %>

Right. That's the idea. I am out of clues as what can be happening. Can you please provide an application that reproduces the error?

So it may be that there is some hashing going on between the email process and Devise, sorry I'm not that familiar with the inner workings of Devise.

Anyway, the Token that is created and saved to the User model is the token that is being sought on the reset attempt.

It's a mystery to me why this doesn't work.

Token generated from log:

[["reset_password_token", "bfef35e411e3d3009ef7466dd85adf7bc03223d95c0dc5ead6f1cc8a61765aa4"]

Token in email:
reset_password_token=_GEqBpbzGtuhR7jchNjC

Token in reset attempt:
"reset_password_token" = 'bfef35e411e3d3009ef7466dd85adf7bc03223d95c0dc5ead6f1cc8a61765aa4'

http://pm.paramzero.com:3001

There is no open enrollment, so I would need to create an account for you replicate the issue with.

@jimiguru I mean an application we can see the source, there isn't much more we can do through external inspection.

Oh sorry. It is a private repo, but I can add you as a contributor if you like.

Sorry, it would be better if you provide a sample application that reproduces the error, as I can't take a better look right now.

Closing as we need a way to reproduce the error to investigate this further. Thanks!

I have the exact same problem. And I have an application to test it : https://github.com/infernalsirius/graep_active.git

I tested it locally in production and development environment and its working. Not on my vps.

I also have the same problem. It doesn't happen all the time. But some time it happens for users that they cannot reset their password as it shows Reset password token is invalid error.

I got the same issue with @jimiguru I'm not really sure why the token saved in the db didn't match the reset token being retrieved in the email. can anybody help us with this? thanks!

I wanted to reproduce this. Let me check. I was yesterday looking into that portion of test code. Let me check also, though my current live apps are not having problem.

@rubyrider I've created a rails 4 scaffold app with devise installed. can you please try it here if you can replicate it. http://3bd71a50.ngrok.com/ thanks!

sure, I am doing it right now!

On Tue, Nov 25, 2014 at 12:39 AM, Peter Indiola [email protected]
wrote:

@rubyrider https://github.com/rubyrider I've created a rails 4 scaffold
app with devise installed. can you please try it here if you can replicate
it. http://3bd71a50.ngrok.com/ thanks!

—
Reply to this email directly or view it on GitHub
https://github.com/plataformatec/devise/issues/2871#issuecomment-64241458
.

Regards,
Irfan Ahmed Rizvi,
Freelancer- Senior Ruby on Rails Developer
https://www.odesk.com/users/~01c44db951895e4589
m: +880 1766 67 81 30
e: [email protected]

Yah source code would be awesome! any pub repo available there? because I couldn't reproduce the problem also. I successfully changed my password. But I notice two following things:

1. I tried first time to send password reset instruction, I got a 505 error
2. I tried again. This time request made successfully. I got email.
3. I tried to reset password from the link getting from email
4. I failed to reset. invalid code.
5. Suddenly I received email again. I click on reset link
6. I successfully reset the password.
   @chocnut

@rubyrider pushing it now to github.

please checkout the experiences I shared.

@rubyrider https://github.com/chocnut/rails4devise

got it. please read out the step I mentioned which I noticed while testing.

On Tue, Nov 25, 2014 at 1:04 AM, Peter Indiola [email protected]
wrote:

@rubyrider https://github.com/rubyrider
https://github.com/chocnut/rails4devise

—
Reply to this email directly or view it on GitHub
https://github.com/plataformatec/devise/issues/2871#issuecomment-64245297
.

Regards,
Irfan Ahmed Rizvi,
Freelancer- Senior Ruby on Rails Developer
https://www.odesk.com/users/~01c44db951895e4589
m: +880 1766 67 81 30
e: [email protected]

I am facing the same Issue, the tokens are varying from the one that is stored in DB and the one while resetting Password.

http://127.0.0.1:3000/account/password/edit?reset_password_token=0954897eab1b8be8769e1f415d449cbd346a608d8a525c881c3f477766eda9f6

SELECT "users".* FROM "users" WHERE "users"."reset_password_token" = 'a0026c1c3fee16743e21f459a9599ae2e6f5267116583d78eec586b8dc00d41e' ORDER BY "users"."id" ASC LIMIT 1

I am actually using Customised mail for sending Reset password Instructions.

def unlock_instructions(user, token)
@user = user
@token = token
mail to: user.email, from: "xxxx", subject: "Your account has been locked"
end

<%= link_to 'Unlock Account', edit_password_url(@user, :reset_password_token => @token) %>

same issue here.

Same here. Although the reset token from the reset password instructions email matches with the reset token from the database it returns an invalid token error on the changing password form. Database query expose that devise looks for a different token in the database.

Experiencing this issue as well.

This commit works:
1094ba65aac1d37713f2cba71f9edad76b5ca274

I have the same problem.

When I upgrade devise from 3.4.1 to latest commit, the problem has gone away. It seems that it fixed.

i faced the similar issue, solution is
change:
edit_password_url(@resource, reset_password_token: @resource.reset_password_token)
to
edit_password_url(@resource, reset_password_token: @token)

Had the same issue. Thanks @amitdotagarwal. That fixed it for me as well

In my case reset_tokan in database and token in url for reset password are same

   > User.last.reset_password_token
   "deb8e7fcaef019273e04288c685205ac40eb37e92d91e52e39b06225cc0d8803"

  URL: http://lvh.me:3000/users/password/edit?reset_password_token=deb8e7fcaef019273e04288c685205ac40eb37e92d91e52e39b06225cc0d8803

Now, when I submit that reset password form, it said Reset password token is invalid.

This Stackoverflow link can elaborate my issue more http://stackoverflow.com/questions/33823735/devise-reset-password-token-invalid

Well, I found the solution. I was completely doing wrong solution. The solution is pretty simple to use devise's send_reset_password_instructions something like:

@user.send_reset_password_instructions

and it solved my problem

concur with @amitdotagarwal - the reason is that the token is now encrypted in the model so in order to present the token it needs to be the unencrypted one - that should be what is in the email hence putting @token in it
I followed that advice and it worked for me - i had not noticed the change in policy to encrypt the token in the model - where was the news?

I still don't get it. How can I get the token from the email and not the one from the db?