开发者

switched to ssl and devise tokens are invalid

We just switched our rails 3 app over to SSL, and later noticed that password recovery tokens aren't working in production any longer. It says "invalid token" when a user tries to reset their password using the emailed link.

I'm using rails 3.0.0, devise 1.3.4, and our user model has:

devise :database_authenticatable, :invitable, :registerable,
       :recoverable, :rememberable, :trackable, :validatable

I'm not using anything like ssl_requirement, because we just did ssl universally across the app. I expired old tokens to make sure it wasn't somehow 开发者_StackOverflow中文版not expiring old tokens or something. I'm baffled.


This was a problem with our nginx config, and entirely unrelated to Devise. But in case anyone else ever finds themselves in a similar position, here's what went down. We set up nginx to redirect the plain http urls to https.. Specifically we had a double rewrite when someone went from domain.com to www.domain.com to https://www.domain.com, and the reset_code was getting added to the end a second time so that reset_code was coming through to the app as ?reset_code=12345?reset_code=12345.

So we changed our nginx config so:

# rewrite ^ https://$server_name$request_uri permanent;
rewrite ^(.*) https://$host$1 permanent;

and then just an optimization

rewrite ^(.*)$ https://www.domain.com$1 permanent;

and all better now.


The answer provided above is correct. But it is a temporary solution and it works only for devise. However the problem arises when you manually send a confirmation token via email. You can fix this permanently.Go to environment/production. and change this line

config.action_mailer.default_url_options = { :host => 'domainname', :protocol => "http"}

to

config.action_mailer.default_url_options = { :host => 'domainname', :protocol => "https"}

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜