Devise has "forget your password?" link on sign in page.
When user click on forget password link Devise ask for email. It will send password reset link in mail to the valid email address. Every password reset link has reset password token associated with it.
Following reset password link in mail, User has been asked to fill reset password form with fields new password and confirm password. On submitting, user reset its password successfully.
But What happen when User followed expired reset password link?
Still User has been presented with the Reset Password Form with new password and confirm password input field. When user submit the reset password form with valid data, then that devise gives error message "Password token INVALID".
How can redirect User to sign in page or any another page(action) if User comes with invalid token??
Its very easy with devise.
We need to override Devise password controller as follow.
1) Create Password Controller
2) Override with devise password controller
If its valid then we will not get any error in resouce and we will display Reset Password Form.
If its invalid the we will get some error in resource and we will redirect user to sign in page or replace new_session_path with whatever action you want to replace.
3) Update routes file
devise_for :users, :controllers => {:passwords => "passwords"}
This will force to use our password controller instead of devise password controller
Thats it.
When user click on forget password link Devise ask for email. It will send password reset link in mail to the valid email address. Every password reset link has reset password token associated with it.
Following reset password link in mail, User has been asked to fill reset password form with fields new password and confirm password. On submitting, user reset its password successfully.
But What happen when User followed expired reset password link?
Still User has been presented with the Reset Password Form with new password and confirm password input field. When user submit the reset password form with valid data, then that devise gives error message "Password token INVALID".
How can redirect User to sign in page or any another page(action) if User comes with invalid token??
Its very easy with devise.
We need to override Devise password controller as follow.
1) Create Password Controller
rails g controller PasswordsThis will generate password controller in your rails application.
2) Override with devise password controller
class PasswordsController < Devise::PasswordsControllerHere we are overriding edit action. In edit, we are checking if devise token are valid.
def edit
self.resource = resource_class.find_or_initialize_with_error_by(:reset_password_token, params[:reset_password_token])
if !resource.errors.empty?
flash[:alert] = "Password token is invalid"
redirect_to new_session_path(resource_name)
end
end
end
If its valid then we will not get any error in resouce and we will display Reset Password Form.
If its invalid the we will get some error in resource and we will redirect user to sign in page or replace new_session_path with whatever action you want to replace.
3) Update routes file
devise_for :users, :controllers => {:passwords => "passwords"}
This will force to use our password controller instead of devise password controller
Thats it.
Hi,
ReplyDeleteI am getting error "Reset password token is invalid". Can you tell me why?
This error generally comes when the link you are following from reset password mail is invalid.
ReplyDeleteEvery link has reset password token associated with it which will be used to find the identity of system user. If this token is invalid then devise give "Reset password token is invalid".
This token gets invalid if
1) It has been already used by hitting the linked and set the new password
2) Token is not used in set period of time mentioned in initializers/devise.rb
Generally it is set at 6 days
3) If user doesn't exist in system
Doesn't work for me either. Adding:
ReplyDeletereset_password_token = Devise.token_generator.digest(self, :reset_password_token, params[:reset_password_token])
Then using the token with the resource initialization works. But then the token seems to become invalid for the update form.
big thanks for detailed overview of this flow. Is there a way to display more specific error messages for those reasons when token gets invalid?
ReplyDelete