CODEWITHSUNDEEP
ruby-on-railsrubyruby-on-rails-4devise
Richlewis
Richlewis

Reputation: 15374

Accessing password reset token Rails 4 and Devise

I am trying to test the reset password feature (Devise) within my app using Cucumber. After creating a user i click the reset password link and enter the email address, within my console then I notice the reset_password_token field gets updated

I, [2016-12-23T09:35:49.937441 #2164]  INFO -- :   Parameters: {"utf8"=>"✓", "user"=>{"email"=>"[email protected]"}, "commit"=>"Send me reset password instructions"}
D, [2016-12-23T09:35:49.939803 #2164] DEBUG -- :   User Load (0.4ms)  SELECT  "users".* FROM "users" WHERE "users"."email" = $1  ORDER BY "users"."id" ASC LIMIT  1  [["email", "[email protected]"]]
D, [2016-12-23T09:35:50.122728 #2164] DEBUG -- :   User Load (0.6ms)  SELECT  "users".* FROM "users" WHERE "users"."reset_password_token" = $1  ORDER BY "users"."id" ASC LIMIT 1  [["reset_password_token", "6e67df7cd7824cf21939a45e9cfe4a399e78216d471432b8b55d7a8cbddc800a"]]
D, [2016-12-23T09:35:50.123615 #2164] DEBUG -- :    (0.1ms)  BEGIN
D, [2016-12-23T09:35:50.125628 #2164] DEBUG -- :   SQL (0.5ms)  UPDATE "users" SET "reset_password_token" = $1, "reset_password_sent_at" = $2, "updated_at" = $3 WHERE "users"."id" = $4  [["reset_password_token", "6e67df7cd7824cf21939a45e9cfe4a399e78216d471432b8b55d7a8cbddc800a"], ["reset_password_sent_at", "2016-12-23 09:35:50.123253"], ["updated_at", "2016-12-23 09:35:50.123915"], ["id", 1]]

As part of my steps i then get that token and try to use it.

Given(/^the user resets their password$/) do
  @user = User.last
  visit edit_user_password_path(reset_password_token: @user.reset_password_token)
  fill_in 'user_password', with: 'NewPassword'
  fill_in 'user_password_confirmation', with: 'NewPassword'
  submit_form
end

Within the reset password email though i notice 

<a href="http://localhost:4000/users/password/edit?reset_password_token=ZUjy2Y3snR3u7diRoAC4">Change my password</a>

Which is generated by

<%= link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token) %>

How do i access the correct token values so i can test the reset of a users password

Thanks

Upvotes: 1

Views: 1177

Answers (1)

31piy
31piy

Reputation: 23859

See this comment. Same happens in devise_invitable gem as well. Storing the raw token in the DB is not a good practice, and is also not secure. That's why, after mailing the raw token, the token is stored in DB as a calculated digest.

If you need to find the user by the token that is in the mail, you can use

User.find_by_invitation_token('your_token_here')

Upvotes: 1

Related Questions