确认链接后点击使用devise gem避免登录？ [英] Avoid sign-in after confirmation link click using devise gem?

问题描述

我正在使用 devise gem，点击确认链接后，我想直接登录。目前它正在要求再次登录。

I am using devise gem, after clicking on the confirmation link, I want to directly sign-in. At present it is asking to sign-in again.

最近我在devise初始化文件中添加了以下内容：

Recently I have added the following in the devise initialize file:

config.allow_insecure_token_lookup = true
config.secret_key = 'a8d814803c0bcc735ce657adc77793459d00154cdd7532c13d3489600dc4e963f86e14beb593a32cbe9dbbe9197c9ce50a30102f363d90350052dc8d69930033'

任何建议？

推荐答案

在以前的Devise版本中，用户在确认后自动登录。这意味着任何可以访问确认电子邮件的人都可以通过点击链接登录到某人的帐户。

In previous Devise versions, the user was automatically signed in after confirmation. This meant that anyone that could access the confirmation e-mail could sign into someone’s account by simply clicking the link.

自动签名用户也可能在e中有害邮件重新确认工作流程。想象一下，用户决定更改他的电子邮件地址，而在这样做时，他会在新的电子邮件地址上输入错字。电子邮件将发送到另一个地址，手中的令牌将能够登录该帐户。

Automatically signing the user in could also be harmful in the e-mail reconfirmation workflow. Imagine that a user decides to change his e-mail address and, while doing so, he makes a typo on the new e-mail address. An e-mail will be sent to another address which, with the token in hands, would be able to sign in into that account.

如果用户更正了e-立即邮寄，不会造成伤害。但是，如果没有，其他人可以登录该帐户，用户不会知道发生这种情况。

If the user corrects the e-mail straight away, no harm will be done. But if not, someone else could sign into that account and the user would not know that it happened.

因此， Devise 3.1 不再在确认后自动签收用户。您可以通过在config / initializers / devise.rb中设置以下内容来临时使旧行为恢复：

For this reason, Devise 3.1 no longer signs the user automatically in after confirmation. You can temporarily bring the old behavior back after upgrading by setting the following in your config/initializers/devise.rb:

config.allow_insecure_sign_in_after_confirmation = true

此选项将暂时可用，以帮助迁移。

This option will be available only temporarily to aid migration.

这篇关于确认链接后点击使用devise gem避免登录？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！