Devise 3.1 Upgrade Invalid Token Error

Question

My app has been using devise (3.1.0, 3.0.3, 3.0.2, 3.0.1, 3.0.0, 2.2.4), so the current version is 3.1.0. With this upgrade there is a new way Devise does token confirmation (blog).

When I click on the email link it leads to an invalid token error, so I'm trying to find out how to resolve this. Please let me know any pointers you have. Thank you.

Answer 1

With 3.1.0, Devise has changed the way it handles token authentication. Rather than storing an unencrypted token in the database, Devise now encrypts that token and sends the unencrypted token in the confirmation email. You will need to set config.secret_key in order to facilitate this encryption. More info on that here: Devise Secret Key was not set

Thus, if you have an old email, or an old token in the database, it is not likely to match what you expect. You can set

config.allow_insecure_token_lookup = true

in your Devise initializer file to remedy this problem, but this is supposed to be a short-term solution while you wait for users to click on the confirmation emails that you sent out before the switch.

Lastly, if you've changed the mail message to reference the token directly (e.g. @user.reset_password_token), you are using the encrypted version in the email and will need to change it to reference the @token variable defined by Devise instead. Here's an example email: https://github.com/plataformatec/devise/blob/2a8d0f9beeb31cd2287094c5dcf843d0bd069eb8/app/views/devise/mailer/reset_password_instructions.html.erb#L5