设计重置密码令牌无效
devise reset password token invalid
控制器
def create
# admin manually creates user
UserMailer.reset_password_instructions(@user).deliver
end
user.rb
class User < ActiveRecord::Base
before_create :generate_reset_password_token # generating devise reset token
# Include default devise modules. Others available are:
# :confirmable, :lockable and :omniauthable
# :registerable,
# :trackable,
devise :database_authenticatable,
# :confirmable,
:rememberable,
:validatable,
:recoverable,
:trackable,
:timeoutable
private
# Generates a new random token for confirmation, and stores
# the time this token is being generated
def generate_reset_password_token
raw, enc = Devise.token_generator.generate(self.class, :reset_password_token)
@raw_confirmation_token = raw
self.reset_password_token = enc
self.reset_password_sent_at = Time.now.utc
end
end
user_mailer.rb
class UserMailer < ApplicationMailer
include Devise::Mailers::Helpers
default from: 'no-reply@identt.co'
def reset_password_instructions(resource, opts={})
@resource = resource
@token = @resource.reset_password_token
mail(to: @resource.email, subject: "Reset Password Instructions")
end
end
reset_password_instructions.html.erb
<p>Hello <%= @resource.email %>!</p>
<p>Someone has requested a link to change your password. You can do this through the link below.</p>
<p><%= link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token) %></p>
<p>If you didn't request this, please ignore this email.</p>
<p>Your password won't change until you access the link above and create a new one.</p>
此时,当管理员手动创建用户时,Password reset Link 将转到我可以使用 MailCatcher 或 letter_opener 看到的电子邮件地址.
http://lvh.me:3000/users/password/edit?reset_password_token=6a8bc4683fc9e5dfcc789f94f9b6bd2b1c44fd857f13662d0f0d1f6212022f81
我点击了link,它成功地把我带到了
修改密码页面。当我提交表单时,验证失败并显示 Reset password token is invalid 消息。
我在这里错过了什么....
更新:
我的Development.rb看起来像:
Rails.application.configure do
# Settings specified here will take precedence over those in config/application.rb.
# In the development environment your application's code is reloaded on
# every request. This slows down response time but is perfect for development
# since you don't have to restart the web server when you make code changes.
config.cache_classes = false
# Do not eager load code on boot.
config.eager_load = false
# Show full error reports and disable caching.
config.consider_all_requests_local = true
config.action_controller.perform_caching = false
# Don't care if the mailer can't send.
config.action_mailer.raise_delivery_errors = false
# Print deprecation notices to the Rails logger.
config.active_support.deprecation = :log
# Raise an error on page load if there are pending migrations.
config.active_record.migration_error = :page_load
# Debug mode disables concatenation and preprocessing of assets.
# This option may cause significant delays in view rendering with a large
# number of complex assets.
config.assets.debug = true
# Asset digests allow you to set far-future HTTP expiration dates on all assets,
# yet still be able to expire them through the digest params.
config.assets.digest = true
# Adds additional error checking when serving assets at runtime.
# Checks for improperly declared sprockets dependencies.
# Raises helpful error messages.
config.assets.raise_runtime_errors = true
# Raises error for missing translations
# config.action_view.raise_on_missing_translations = true
# Configure letter opener to open email in browser
# config.action_mailer.delivery_method = :letter_opener
config.action_mailer.delivery_method = :smtp
config.action_mailer.smtp_settings = { :address => "lvh.me", :port => 1025 }
config.action_mailer.default_url_options = { host: 'lvh.me', port: 3000 }
config.domain = 'lvh.me'
end
我的解决方案只有一行代码,我通过添加手动邮件程序、操作等使其变得复杂。
为了解决这个问题,我只需要在 user 对象中调用设计的 send_reset_password_instructions:
在控制器中
@user.send_reset_password_instructions
解决了我的问题。
我通过删除(根据我的问题:)
清理了我的代码
user_mailer.rb 文件不再需要,所以删除它
views/user_mailer/reset_password_instructions.html.erb 文件不是必需的,所以删除它。
在 User.rb 模型中,删除 before_action :generate_reset_password_token 以及 generate_reset_password_token 私有方法。
从控制器中删除下面的邮件行
UserMailer.reset_password_instructions(@user).deliver
我为此深陷疯狂,终于找到了答案:
def generate_reset_password_token
raw, enc = Devise.token_generator.generate(self.class, :reset_password_token)
@raw_confirmation_token = raw
self.reset_password_token = enc
self.reset_password_sent_at = Time.now.utc
end
这段代码是正确的,你希望 user 有 enc 作为 reset_password_token。将 raw 变量放在手边也很好。
class UserMailer < ApplicationMailer
include Devise::Mailers::Helpers
default from: 'no-reply@identt.co'
def reset_password_instructions(resource, opts={})
@resource = resource
@token = @resource.reset_password_token
mail(to: @resource.email, subject: "Reset Password Instructions")
end
end
对于这部分,您需要 @token = @raw_confirmation_token(来自令牌生成器的 raw),而不是 @resource.reset_password_token(来自生成器的 enc)。
我相信这个解决方案适用于 devise 3.1+,他们似乎更改了设置以增加安全性,但没有解释这两个令牌。
控制器
def create
# admin manually creates user
UserMailer.reset_password_instructions(@user).deliver
end
user.rb
class User < ActiveRecord::Base
before_create :generate_reset_password_token # generating devise reset token
# Include default devise modules. Others available are:
# :confirmable, :lockable and :omniauthable
# :registerable,
# :trackable,
devise :database_authenticatable,
# :confirmable,
:rememberable,
:validatable,
:recoverable,
:trackable,
:timeoutable
private
# Generates a new random token for confirmation, and stores
# the time this token is being generated
def generate_reset_password_token
raw, enc = Devise.token_generator.generate(self.class, :reset_password_token)
@raw_confirmation_token = raw
self.reset_password_token = enc
self.reset_password_sent_at = Time.now.utc
end
end
user_mailer.rb
class UserMailer < ApplicationMailer
include Devise::Mailers::Helpers
default from: 'no-reply@identt.co'
def reset_password_instructions(resource, opts={})
@resource = resource
@token = @resource.reset_password_token
mail(to: @resource.email, subject: "Reset Password Instructions")
end
end
reset_password_instructions.html.erb
<p>Hello <%= @resource.email %>!</p>
<p>Someone has requested a link to change your password. You can do this through the link below.</p>
<p><%= link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token) %></p>
<p>If you didn't request this, please ignore this email.</p>
<p>Your password won't change until you access the link above and create a new one.</p>
此时,当管理员手动创建用户时,Password reset Link 将转到我可以使用 MailCatcher 或 letter_opener 看到的电子邮件地址.
http://lvh.me:3000/users/password/edit?reset_password_token=6a8bc4683fc9e5dfcc789f94f9b6bd2b1c44fd857f13662d0f0d1f6212022f81
我点击了link,它成功地把我带到了
修改密码页面。当我提交表单时,验证失败并显示 Reset password token is invalid 消息。
我在这里错过了什么....
更新:
我的Development.rb看起来像:
Rails.application.configure do
# Settings specified here will take precedence over those in config/application.rb.
# In the development environment your application's code is reloaded on
# every request. This slows down response time but is perfect for development
# since you don't have to restart the web server when you make code changes.
config.cache_classes = false
# Do not eager load code on boot.
config.eager_load = false
# Show full error reports and disable caching.
config.consider_all_requests_local = true
config.action_controller.perform_caching = false
# Don't care if the mailer can't send.
config.action_mailer.raise_delivery_errors = false
# Print deprecation notices to the Rails logger.
config.active_support.deprecation = :log
# Raise an error on page load if there are pending migrations.
config.active_record.migration_error = :page_load
# Debug mode disables concatenation and preprocessing of assets.
# This option may cause significant delays in view rendering with a large
# number of complex assets.
config.assets.debug = true
# Asset digests allow you to set far-future HTTP expiration dates on all assets,
# yet still be able to expire them through the digest params.
config.assets.digest = true
# Adds additional error checking when serving assets at runtime.
# Checks for improperly declared sprockets dependencies.
# Raises helpful error messages.
config.assets.raise_runtime_errors = true
# Raises error for missing translations
# config.action_view.raise_on_missing_translations = true
# Configure letter opener to open email in browser
# config.action_mailer.delivery_method = :letter_opener
config.action_mailer.delivery_method = :smtp
config.action_mailer.smtp_settings = { :address => "lvh.me", :port => 1025 }
config.action_mailer.default_url_options = { host: 'lvh.me', port: 3000 }
config.domain = 'lvh.me'
end
我的解决方案只有一行代码,我通过添加手动邮件程序、操作等使其变得复杂。
为了解决这个问题,我只需要在 user 对象中调用设计的 send_reset_password_instructions:
在控制器中
@user.send_reset_password_instructions
解决了我的问题。
我通过删除(根据我的问题:)
清理了我的代码user_mailer.rb文件不再需要,所以删除它views/user_mailer/reset_password_instructions.html.erb文件不是必需的,所以删除它。在
User.rb模型中,删除before_action :generate_reset_password_token以及generate_reset_password_token私有方法。从控制器中删除下面的邮件行
UserMailer.reset_password_instructions(@user).deliver
我为此深陷疯狂,终于找到了答案:
def generate_reset_password_token
raw, enc = Devise.token_generator.generate(self.class, :reset_password_token)
@raw_confirmation_token = raw
self.reset_password_token = enc
self.reset_password_sent_at = Time.now.utc
end
这段代码是正确的,你希望 user 有 enc 作为 reset_password_token。将 raw 变量放在手边也很好。
class UserMailer < ApplicationMailer
include Devise::Mailers::Helpers
default from: 'no-reply@identt.co'
def reset_password_instructions(resource, opts={})
@resource = resource
@token = @resource.reset_password_token
mail(to: @resource.email, subject: "Reset Password Instructions")
end
end
对于这部分,您需要 @token = @raw_confirmation_token(来自令牌生成器的 raw),而不是 @resource.reset_password_token(来自生成器的 enc)。
我相信这个解决方案适用于 devise 3.1+,他们似乎更改了设置以增加安全性,但没有解释这两个令牌。