kntsoriano
commented
5 years ago @iHiD In here, it is intended behavior for Devise to send the same token if it hasn't expired yet. To solve the Thunderbird issue, I will create a text template for the confirmation email and add an explicit instruction to copy and paste the link.
@kntsoriano See email below. Is this something we can fix easily? Thoughts in general?
Hello,
I just signed up and had a minor problem with the confirmation link I received. I am using Thunderbird as my mail client and only allow mails to be displayed as text. This in combination with my confirmation token led to the trailing "-" (without the quotes) in my token being missed, because Thunderbird automatically generates a clickable link when it detects a URL pattern and somehow stopped just before the last symbol which was said dash.
Now I know that this is technically more of an issue in Thunderbird but maybe something can be done to not have trailing dashes or similar "error generators"? Or just keep that in mind, when someone comes with a similar problem, because this has the potential of a support nightmare, maybe. :)
Also, since I didn't spot this the first time around, I requested a resending of a confirmation token and received the exact same one. Is this intentional? I was expecting to get a newly generated value. I don't know if this can be made into an exploitable issue, but think it is worth mentioning. Maybe some random number generator issue, which could actually point to a real problem, depending on what else it is used for: crypto mainly.
Anyway, just wanted to report this before I forget about it and didn't know where else to send this. Please forgive me, if this is not the correct venue for doing so. Haven't even looked at the content of exercism.io yet. Will do so now and am totally excited. :-)
Cheers, Peter