设计确认_令牌无效 [英] Devise confirmation_token is invalid
问题描述
我的User.rb:
class User < ActiveRecord::Base
devise :database_authenticatable, :registerable,:confirmable,:token_authenticatable,
:recoverable, :rememberable, :trackable, :validatable, :authentication_keys => [:name]
我的路线:
devise_for :users, :controllers => { :sessions => "sessions", :confirmations => "confirmations", :passwords => "passwords", :registrations => "registrations" }
我的ConfirmationsController是标准控制器,但具有不同的重定向。
My ConfirmationsController is a standard controller but with different redirect.
我在电子邮件上具有链接,例如:
I have link on my email like:
/users/confirmation?confirmation_token=167bad44a15e02b0bd570b51e1bf927b88368d8855d92b9833a24017a2bad4be
在数据库用户中
confirmation_token:167bad44a15e02b0bd570b51e1bf927b88368d8855d92b9833a24017a2bad4be
但是当我单击该链接时,我只会看到带有:
But when i click on that link i only see page with:
Resend confirmation instructions
Confirmation token is invalid
我不做的事情-我还必须设置什么。
What i dont do - what else i have to set.
CONFIRMATIONCONTROLLER:
CONFIRMATIONCONTROLLER:
def resource_params
params.require(:user).permit(:confirmation_token)
end
private :resource_params
def show
self.resource = resource_class.confirm_by_token(params[:confirmation_token])
if resource.errors.empty?
set_flash_message(:notice, :confirmed) if is_navigational_format?
sign_in(resource_name, resource)
session['new_user'] = true
respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
else
respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new }
end
end
protected
# The path used after resending confirmation instructions.
def after_resending_confirmation_instructions_path_for(resource_name)
new_registration_path(resource_name)
end
我说标准控制器是因为当我删除它并且不使用自定义控制器时,问题是相同的。
I say "standard controller" because when i remove it and do not use custom controller problem is that same.
推荐答案
哪个版本您正在使用什么设计?如果您使用的是 3.1.0
或更高版本,则可能会出现以下情况:
Which version of devise are you using? If you're on 3.1.0
or higher, this behavior is expected:
存储在数据库中的令牌与您在确认电子邮件中发送的令牌不匹配。参见 devise / lib / devise / models / confirmable.rb ,现在其中包含以下内容:
The tokens that are stored in the database are not supposed to match the tokens that you send in the confirmation e-mails. See devise/lib/devise/models/confirmable.rb, which now contains the following:
def confirm_by_token(confirmation_token)
original_token = confirmation_token
confirmation_token = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
如您所见,通过查询字符串参数传递的令牌由 Devise.token_generator
消耗,其结果将该操作与数据库中的令牌进行比较以发现用户记录。
As you can see, the token that you pass in via query string params is consumed by the Devise.token_generator
, and the result of that operation is what's compared with the token in the database to discover the user record.
似乎暂时有可能(在3.1中而不是在3.2中)将其关闭通过设置
It looks like it's temporarily possible (in 3.1 but not 3.2) to turn this off by setting
config.allow_insecure_token_lookup = true
在哟我们设计初始化程序。但是,默认行为已更改为使设计更安全。请参阅此博客文章完整记录设计3.1中的安全性改进,包括此更改。
in your devise initializer. But the default behavior has been changed to make devise more secure. See this blog post for a complete rundown of the security improvements in devise 3.1, including this change.
这篇关于设计确认_令牌无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!