search

heartcombo / devise

Flexible authentication solution for Rails with Warden.
http://blog.plataformatec.com.br/tag/devise/
MIT License
24k stars 5.55k forks source link

Devise sends emails unintentionally #5541

Closed canberkvarli closed 1 year ago

canberkvarli commented 1 year ago

Current behavior

Even though users never requested to change a password, they receive a devise email saying "Your password has changed". One user in particular have received four of these emails and never requested to change the password and still have access to the account.

config.send_password_change_notification = true - This is the only trigger to the best of my knowledge.

Not sure what is replicating this behavior but was wondering if it's a known issue or am I just missing something.

Expected behavior

Devise would send the email after user changes their password.

canberkvarli commented 1 year ago

Fixed.

The issue was that we are using SAML logins and setting up a new password whenever a user is logged in. This was triggering the email. Added an "unless" check if a user doesn't have a password.