search

lynndylanhurley / devise_token_auth

Token based authentication for Rails JSON APIs. Designed to work with jToker and ng-token-auth.
Do What The F*ck You Want To Public License
3.54k stars 1.13k forks source link

Password reset is not working if check_current_password_before_update is set #988

Open misham opened 6 years ago

misham commented 6 years ago

Summary:

Version: 0.1.42

If check_current_password_before_update is set to :password, user password cannot be updated. render_update_error is called (https://github.com/lynndylanhurley/devise_token_auth/blob/master/app/controllers/devise_token_auth/passwords_controller.rb#L121) instead of updating.

I was able to trace the execution to verify that @resource.allow_password_change = true; is never set (https://github.com/lynndylanhurley/devise_token_auth/blob/master/app/controllers/devise_token_auth/passwords_controller.rb#L81)

I was able to solve this by commenting out check_current_password_before_update line. While is unblocks me for now, I need to have the user provide their current password to update their password.

Looks like this was address in this (merged) PR: https://github.com/lynndylanhurley/devise_token_auth/commit/db8d69418b410ed13a0f4e1b46ab672d6ffabbc2#diff-a8896c96c8847a9cc2fe37d3c448849c

However it did not make it into 0.1.42 for some reason?

Or am I doing something wrong here?

nicholasshirley commented 6 years ago

I just started a new project using 0.1.42 with config.check_current_password_before_update = :password without issue. Everything was out of the generator except no confirmable or omniauthable.

zachfeldman commented 6 years ago

@misham does @nicholasshirley 's workaround/solution work for you?

misham commented 6 years ago

No, but adding some custom code that does the same flow as what's in master fixed it.

Do you have an estimate for when the next version will drop?

zachfeldman commented 6 years ago

I don't, that's up to @lynndylanhurley .

nicholasshirley commented 6 years ago

@misham I hit this as soon as I overrode the passwords controller. How did you end up persisting allow_password_change?

misham commented 6 years ago

@nicholasshirley I adopted this solution to my needs: https://github.com/lynndylanhurley/devise_token_auth/issues/604#issuecomment-306018813

Basically, same flow as what's in master, but with slightly different names. Added a column to the User model and used a similar PasswordsController as described in the linked comment.