Reset password link not working for the second time #691
Comments
|
I experienced the same issue too. |
|
Any of you guys found a solution? I'm experiencing the same issue... |
|
same problem with version 0.1.40 |
|
This is because token auth creates whole new session and deletes token which was used for it. This is major bug which would involve a lot of work. This is strictly binded with automatic login before even setting up a new password. |
|
it's not a bug, it's a feature by design so every token is used only once and cannot get hijacked. |
|
@rachuxx is right, the gem is designed not to use the reset password token to validate the password change, but to generate a new session where you are certainly logged in and, among other things, you can change your password. You can even navigate the site with this session. |
|
Sounds like the current implementation is good for security so....closing for now. |
@zachfeldman No, it is not. |
|
@BenjaminKim sorry to hear that you're so upset with the current implementation. This is a volunteer run project, so might I suggest that you submit a pull request if you feel so passionately? |
Hello,
I sent a POST request to user_auth/password with email and redirect_url as parameters.
I get an email with a link to reset my password.
If I click on that link it redirects to the url which I sent in the above request and shows me my custom page to change password.
However, if I click on that reset password link in my email, again - it gives "Route not found error".
I have't changed my password. I just visit or click on the reset password link and it doesn't work for the second time.
What I observed is that the reset_password_token is getting changed to raw value instead of encrypted value.
I am using 0.1.37 version of the gem
The text was updated successfully, but these errors were encountered: