search

lynndylanhurley / devise_token_auth

Token based authentication for Rails JSON APIs. Designed to work with jToker and ng-token-auth.
Do What The F*ck You Want To Public License
3.52k stars 1.14k forks source link

Updating users.email with confirmable enabled also updates uid. #1374

Open nrikiji opened 4 years ago

nrikiji commented 4 years ago

Updating users.email will update the uid. Is this correct behavior? The expected behavior is that user.update (email: "xxxxx") does not update uid and email. We expect these to be updated when we complete the change from the token given in the authentication email.

rails console

$ user = User.find(1)
$ user.update(email: "hoge@example.com")
User Update (0.5ms)  UPDATE `users` SET `users`.`uid` = 'hoge@example.com', `users`.`confirmation_token` = 'xxxxxxxxxxxxxx', `users`.`confirmation_sent_at` = '2020-01-16 08:55:22', `users`.`unconfirmed_email` = 'hoge@example.com
', `users`.`updated_at` = '2020-01-16 08:55:22' WHERE `users`.`id` = 1

app/models/user.rb

# frozen_string_literal: true                                                                                                                                                                                                                 

class User < ActiveRecord::Base
  devise :database_authenticatable, :registerable,
         :recoverable, :rememberable, :trackable, :confirmable
  include DeviseTokenAuth::Concerns::User

  def postpone_email_change?
    true
  end
end

devise_token_auth gem version : 1.1.3 devise gem version : 4.7.1 ruby version : 2.6.5 rails version : 6.0.2.1

pnghai commented 4 years ago

I have to manually backup the old email and change the uid back to old email when confirmable is set

pnghai commented 4 years ago

https://github.com/lynndylanhurley/devise_token_auth/pull/1407 here's my proposal