Perishable Token not Found for Authlogic User in Rails

Question

I'm using Authlogic with my Rails app and I can't figure out why it sometimes won't find a user based on the perishable token. It usually works, but sometimes it won't. I used this code so that users could be verified before being able to log in. However, for example right now, I'm looking at an example where the user is not being found by the perishable token even though, when I look in the DB for the user, the perishable token matches the one for the user.

The process is this:

in users_controller #create

@user.deliver_verification_instructions!(@subdomain)

in user model:

def deliver_verification_instructions!(subdomain)
  reset_perishable_token!
  Notifier.verification_instructions(self, subdomain).deliver!
end 

in my mailer (Notifier.rb)

# email on new user registration to verify user
def verification_instructions(user,subdomain)
  @user = user
  @subdomain = subdomain
  @url  = "http://#{@subdomain.name}.foobar.com/user_verifications/#{@user.perishable_token}"
  sent_on       Time.now
  mail(:to => "#{user.first_name} <#{user.email}>",
    :subject => "Email Verification",
    :from => 'Foo <info@foobar.com>') do |format|
    format.text
    format.html
  end
end

in the email view:

Please click the following link to verify your email address:                                           
<%= @url %>

in User_verifications controller

class UserVerificationsController < ApplicationController
  before_filter :load_user_using_perishable_token

def show
  @subdomain = Subdomain.find_by_user_name(current_subdomain)

  if @user
    @user.verify!
    flash[:notice] = "Thank you for verifying your account. You may now login."
  end
  redirect_to home_path
end

private
  def load_user_using_perishable_token
    @user = User.find_using_perishable_token(params[:id])
    flash[:notice] = "Unable to find your account." unless @user
  end
end

The code sometimes returns "Unable to find your account." which means it's not finding the perishable token even though the token in the url in the email matches what I see in the database.

When I look at my logs on Heroku all I see it:

2013-01-11 00:10:01+00:00 app web.1     - - Started GET "/user_verifications/lTpNRnjDw4WbyAMUyw6" for 10.253.207.217/ip-10-253-207-217.eu-west-1.compute.internal at 2013-01-11 00:10:01 +0000
2013-01-11 00:10:02+00:00 heroku router - - at=info method=GET path=/user_verifications/lTpNRnjDw4WbyAMUyw6 host=mvfd.foobar.com fwd=10.253.207.217/ip-10-253-207-217.eu-west-1.compute.internal dyno=web.1 queue=0 wait=0ms connect=10ms service=1325ms status=302 bytes=96
2013-01-11 00:10:02+00:00 app web.1     - - cache: [GET /user_verifications/lTpNRnjDw4WbyAMUyw6] miss
2013-01-11 00:10:02+00:00 app web.1     - -   Processing by UserVerificationsController#show as HTML
2013-01-11 00:10:02+00:00 app web.1     - -   Parameters: {"id"=>"lTpNRnjDw4WbyAMUyw6"}
2013-01-11 00:10:02+00:00 app web.1     - - Redirected to http://mvfd.foobar.com/home
2013-01-11 00:10:02+00:00 app web.1     - - Completed 302 Found in 1008ms

Thanks for any assistance you can provide!

Answer 1

Authlogic expires perishable tokens after 10 minutes by default (for security) so it is likely that some users are following the password reset link after it has expired.

You can change this setting in your User model:

class User < ActiveRecord::Base
  acts_as_authentic do |config|
    config.perishable_token_valid_for = 1.hour
  end
end

https://github.com/binarylogic/authlogic/blob/master/lib/authlogic/acts_as_authentic/perishable_token.rb#L15-L25

OR, pass a different expiration value in to the find_using_perishable_token method in your controller:

@user = User.find_using_perishable_token(params[:id], 1.hour)

https://github.com/binarylogic/authlogic/blob/master/lib/authlogic/acts_as_authentic/perishable_token.rb#L55-L63

Make sure to consider the risk of increasing the expiration value depending on the security requirements of your application.