Rails 4 + Devise: Password Reset is always giving a "Token is invalid" error on the production server, but works fine locally.
I have a Rails 4 application set up to use Devise, and I'm running a problem with password resets. I have the mailer set up, and the password reset email sends fine. The link provided has the correct reset_password_token assigned to it, which I checked with that database. However, when I submit the form with correctly formatted passwords, it gives an error saying that the reset token is invalid.
However, the exact same code works fine locally through rails s. The email sends, and I can actually reset the password. The code I use is just the standard Devise code, I haven't overridden any of it.
Perhaps it's something with Apache? I'm not too familiar with it. Does anyone have any ideas?
Answer
Check the code in app/views/devise/mailer/reset_password_instructions.html.erb
The link should be generated with:
edit_password_url(@resource, :reset_password_token => @token)
If your view still uses this code, that will be the cause of the issue:
edit_password_url(@resource, :reset_password_token => @resource.password_reset_token)
Devise started storing hashes of the token, so the email needs to create the link using the real token (@token) rather than the hashed value stored in the database.
This change occurred in Devise in 143794d701