search

scambra / devise_invitable

An invitation strategy for devise
MIT License
2.66k stars 553 forks source link

saving raw token but looking up by encrypted token #508

Closed ryan2johnson9 closed 10 years ago

ryan2johnson9 commented 10 years ago

Hi,

I'm using Rubinius 2.2.10, Rails 4.1.6, devise 3.3, and devise_invitable 1.3.6.

I've been struggling with this issue for some time and have tried going through your code a bit.

When I invite a user, the token saved in the database is the raw token, i.e. it is the same as the token in the link that is sent in the invitation.

The problem is that when the invited user follows that link, devise_invitable attempts to look up the user with

find_by_invitation_token(params[:invitation_token], true)

inside the resource_from_invitation_token callback called before edit in the InvitationsController. This call 'seems to' convert the token to an encrypted one before searching the db. I tried this in my console, see below and notice the difference between the token I pass in and the SQL query:

User.find_by_invitation_token("ca6ee66b699440b03f83cc69d957877db2c4e7c9bd0455529efa0052f6d89fae", true)
User Load (0.9ms)  SELECT  "users".* FROM "users"  WHERE "users"."invitation_token" = 'a09e1588eb8d519369d4c0244b6a618ccb79b76f7bb29aa7f416975db7ec84aa'  ORDER BY "users"."id" ASC LIMIT 1
=> nil

and setting the second parameter to true simply creates a new User.

It does not seem to make any difference whether I have the 

config.allow_insecure_token_lookup

set to true or false.

Could there be something wrong with my config? Here is my devise.rb config file:

Devise.setup do |config|
  config.allow_insecure_token_lookup = false

  config.mailer_sender = "support@calm.dhamma.org"

  config.mailer = "Devise::Mailer"

  require 'devise/orm/active_record'

  config.authentication_keys = [ :login ]

  config.case_insensitive_keys = [ :email ]

  config.strip_whitespace_keys = [ :email ]

  config.http_authenticatable_on_xhr = true

  config.stretches = Rails.env.test? ? 1 : 10

  # Setup a pepper to generate the encrypted password.
  config.pepper = "something....f4b98f5....something"

  # ==> Configuration for :invitable
  config.invite_for = 1.weeks

  config.invite_key = {:email => /\A(\S+)@(.+)\.(\S+)\z/, :username => /\A[a-z0-9\-_\s]+\z/}

  # ==> Configuration for :timeoutable
  config.timeout_in = 2.hours  # for other environments
  config.timeout_in = 20.minutes if  Rails.env.production?

  # ==> Configuration for :lockable
  config.lock_strategy = :failed_attempts

  config.unlock_strategy = :email
  config.maximum_attempts = 5
  # ==> Configuration for :recoverable
  config.reset_password_keys = [ :email ]

  config.reset_password_within = 2.hours

  config.sign_out_via = :delete

  config.secret_key = 'something...bd9f1e....something....'

end
ryan2johnson9 commented 10 years ago

Sorry - my error - I had changed all the overridden views to use @token except for the most important one - invitation_instructions.html.haml