Reputation: 1249
Devise (via API) recoverable : reset_password_token can't be blank
I found some discussions and topics about the recoverable feature, but couldn't fix the issue I encounter.
I have a front end API that uses a rails 3.2 backend ( with Devise 2.2.4) all routes are working well but when I try to update the password it sends a json resonse (in Postman ) :
"reset_password_token" : "can't be blank"
If I understand the feature :
1- The POST # POST /resource/password sends the reset password to the email ( used as param ) 2- then I perform a GET /resource/password/edit?reset_password_token=abcdef that goes to my FrontEnd page with a password input. 3- when the password is changed I launch a # PUT /resource/password
This is where the error occures.
Here is the password_controller.rb file :
class Devise::PasswordsController < DeviseController
prepend_before_filter :require_no_authentication
# Render the #edit only if coming from a reset password email link
append_before_filter :assert_reset_token_passed, :only => [:edit, :update]
# GET /resource/password/new
def new
build_resource({})
end
# POST /resource/password
def create
self.resource = resource_class.send_reset_password_instructions(resource_params)
if successfully_sent?(resource)
#respond_with({}, :location => after_sending_reset_password_instructions_path_for(resource_name))
render json: { message: "mail sent"}, status: 200
else
#respond_with(resource)
render json: { :status }
end
end
# GET /resource/password/edit?reset_password_token=abcdef
def edit
self.resource = resource_class.new
resource.reset_password_token = params[:reset_password_token]
end
# PUT /resource/password
def update
self.resource = resource_class.reset_password_by_token(params[:reset_password_token])
if resource.errors.empty?
resource.unlock_access! if unlockable?(resource)
flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
set_flash_message(:notice, flash_message) if is_navigational_format?
#sign_in(resource_name, resource)
#respond_with resource, :location => after_resetting_password_path_for(resource)
render json: { message: "password updated"}, status: 200
else
respond_with resource
end
end
protected
def after_resetting_password_path_for(resource)
after_sign_in_path_for(resource)
end
# The path used after sending reset password instructions
def after_sending_reset_password_instructions_path_for(resource_name)
new_session_path(resource_name) if is_navigational_format?
end
# Check if a reset_password_token is provided in the request
def assert_reset_token_passed
if params[:reset_password_token].blank?
#set_flash_message(:error, :no_token)
#redirect_to new_session_path(resource_name)
render json: { message: "reset password is not blank"}, status: 200
end
end
# Check if proper Lockable module methods are present & unlock strategy
# allows to unlock resource on password reset
def unlockable?(resource)
resource.respond_to?(:unlock_access!) &&
resource.respond_to?(:unlock_strategy_enabled?) &&
resource.unlock_strategy_enabled?(:email)
end
end
The recoverable.rb method reset_password_by_token :
def reset_password_by_token(attributes={})
recoverable = find_or_initialize_with_error_by(:reset_password_token, attributes[:reset_password_token])
if recoverable.persisted?
if recoverable.reset_password_period_valid?
recoverable.reset_password!(attributes[:password], attributes[:password_confirmation])
else
recoverable.errors.add(:reset_password_token, :expired)
end
end
recoverable
end
Devise::Models.config(self, :reset_password_keys, :reset_password_within)
I tried to add some puts on the methods and they are not thrown in the backlog. Here is my rails s log :
Started PUT "/users/password" for 192.168.0.18 at 2016-04-06 09:35:11 +0200
Processing by Devise::PasswordsController#update as JSON
Parameters: {"reset_password_token"=>"[FILTERED]", "password"=>"[FILTERED]"}
, :options=>{:count=>1, :default=>["User"]}, :description=>"User"}, {:key=>"activerecord.attributes.user.confirmation_token", :locale=>:en, :options=>{:count=>1, :default=>[:"attributes.confirmation_token", "Confirmation token"]}, :description=>"Confirmation token"}, {:key=>"activerecord.attributes.user.unconfirmed_email", :locale=>:en, :options=>{:count=>1, :default=>[:"attributes.unconfirmed_email", "Unconfirmed email"]}, :description=>"Unconfirmed email"}, {:key=>"activerecord.attributes.user.email", :locale=>:en, :options=>{:count=>1, :default=>[:"attributes.email", "Email"]}, :description=>"Email"}, {:key=>"activerecord.attributes.user.reset_password_token", :locale=>:en, :options=>{:count=>1, :default=>[:"attributes.reset_password_token", "Reset password token"]}, :description=>"Reset password token"}]}
Completed 422 Unprocessable Entity in 2174ms (Views: 0.4ms | ActiveRecord: 1.6ms)
===================
EDIT
===================
To understand where the request comes from I add below the PUT request on Angular/FrontEnd part :
users.newPassword = function (token, password) {
var putData = {
user:{
reset_password_token: token,
password: password
}
};
return Restangular.withConfig(function(RestangularConfigurer) {
RestangularConfigurer.setFullResponse(true);
}).one('/users/password').customPUT(putData);
};
Upvotes: 1
Views: 2487
Answers (2)
Reputation: 1249
I finally found the fix.
The fact is that Devise is waiting params as user Array.
I was sending reset_password_token directly, but Devise is waiting user[reset_password_token] .....
also the generated token was not the good one. In my mail template I had :
You asked to <%= link_to 'reset your password', edit_password_url(@resource, reset_password_token: @resource.reset_password_token %>.
And I modified it to
You asked to <%= link_to 'reset your password', edit_password_url(@resource, reset_password_token: @token %>.
Upvotes: 0
Reputation: 585
You are declaring reset_password_by_token as class method. Thats fine. But you didn't pass either resource object or reset_password_token as argument to method. That means don't setting resent_token.
You can debug and check if resource is setting reset_password_token or not. If yes then follow below
self.resource = resource_class.reset_password_by_token(params[:confirmation_token])
so, either use
resource.reset_password_by_token(params[:password])
or
resource_class.reset_password_by_token(params[:password], params[:reset_password_token])
Upvotes: 1
Related Questions
- How to understand nil vs. empty vs. blank in Ruby
- Devise with jwt - recoverable reset_password_by_token
- Preventing Devise from sending an email when changing password
- Password Reset Token Leaking to Google Analytics
- rails devise reset password token is replaced with user's email only in production
- How to get reset_password working with rails-api app using devise_auth_token gem
- Unauthorized request using devise authentication methods as API for resetting password