Open iMacTia opened 4 years ago
@iMacTia I was having the same problem, but in a slightly different way. I was using the passwords#update entry to change user password using the current_password attribute too, but I guess that is not correct. It broken after I set the require_client_password_reset_token config to reset passwords. So after reading this issue I started to investigate the problem. And what I concluded is that we are not suppose to use passwords#update action to change users password, but registrations#update. It worked for me! Give it a try!
@rodrigovcortezi I can see what you're referring to. Looking again at the code it seems, as you said, that the passwords#update
action should only be used for password reset, hence for cases where we don't have a valid access token, although for some reason there's an else
loading the user based on the actual acces-token
, which doesn't really make sense under that assumption (https://github.com/lynndylanhurley/devise_token_auth/blob/387306a180e955da077a67a6b77b1feda9497202/app/controllers/devise_token_auth/passwords_controller.rb#L73).
I guess there's a bit of confusion around the correct password reset flow, but as you correctly pointed out I can successfully change the password using the registrations#update
endpoint instead.
Still, it would be good to hear from a maintainer about why is passwords#update
allowing to set the user by token, if that should not be possible during a password reset?
Exactly the same issue as of @rodrigovcortezi , and the solution provided still works. Thanks
When posting issues, please include the following information to speed up the troubleshooting process:
master
branchactivemodel (6.0.2.2) lib/active_model/attribute_assignment.rb:53:in
_assign_attribute' activemodel (6.0.2.2) lib/active_model/attribute_assignment.rb:44:in
block in _assign_attributes' activemodel (6.0.2.2) lib/active_model/attribute_assignment.rb:43:ineach' activemodel (6.0.2.2) lib/active_model/attribute_assignment.rb:43:in
_assign_attributes' activerecord (6.0.2.2) lib/active_record/attribute_assignment.rb:22:in_assign_attributes' activemodel (6.0.2.2) lib/active_model/attribute_assignment.rb:35:in
assign_attributes' activerecord (6.0.2.2) lib/active_record/persistence.rb:620:inblock in update' activerecord (6.0.2.2) lib/active_record/transactions.rb:375:in
block in with_transaction_returning_status' activerecord (6.0.2.2) lib/active_record/connection_adapters/abstract/database_statements.rb:281:inblock in transaction' activerecord (6.0.2.2) lib/active_record/connection_adapters/abstract/transaction.rb:280:in
block in within_new_transaction' activerecord (6.0.2.2) lib/active_record/connection_adapters/abstract/transaction.rb:278:insynchronize' activerecord (6.0.2.2) lib/active_record/connection_adapters/abstract/transaction.rb:278:in
within_new_transaction' activerecord (6.0.2.2) lib/active_record/connection_adapters/abstract/database_statements.rb:281:intransaction' activerecord (6.0.2.2) lib/active_record/transactions.rb:212:in
transaction' activerecord (6.0.2.2) lib/active_record/transactions.rb:366:inwith_transaction_returning_status' activerecord (6.0.2.2) lib/active_record/persistence.rb:619:in
update' devise_token_auth (275da3c1960b) app/controllers/devise_token_auth/passwords_controller.rb:89:in `update'Rails.application.routes.draw do namespace :api, defaults: { format: 'json' } do scope module: :v1, constraints: ApiConstraints.new(version: 1, default: true) do mount_devise_token_auth_for 'User', at: 'auth' end end end