1

I am creating a password reset token for my rails app.

In my user controller, using BCrypt-Ruby, the rails scaffolding took care of everything with the built in validation/saving. Now, however, I am having a bit of difficulty.

In my ResetToken controller, I have this method:

def do_reset
    @token = ResetToken.find_by(token: params[:id])
    if request.post?
        user = @token.user
        user.password = params[:password]
        user.password_confirmation = params[:password_confirmation]
        if user.save
            redirect_to shop_url
        end
    else
    end
end

and this form in the corresponding view:

<%= form_tag do %>
<div class="row">
  <div class="form-group">
    <div class="col-md-6">
      <%= label_tag :password %><br>
      <%= password_field :password, class: "form-control" %>
    </div>
    <div class="col-md-6">
      <%= label_tag :password_confirmation %>
      <%= password_field :password_confirmation, class: "form-control" %>
    </div>
  </div>
</div>

<div class="row">
  <div class="col-md-12">
    <%= submit_tag "Update Password", class: "btn btn-primary pull-left push-bottom" %>
  </div>
</div>
<% end %>

Now the auto validation still works. (it still triggers the validation if the passwords don't match). However, it appears I cannot login after updating the password. It still looks like the passwords are being hashed, but I just can't login after the update. What am I missing?

Update 1

Here is sme additional info on User passwords. As I mentioned above, I am using the BCrypt-Ruby gem.:

from the schema

create_table "users", force: true do |t|
    t.string   "first_name"
    t.string   "last_name"
    t.string   "email"
    t.string   "password_digest"
    ... 
end

From rails console

2.0.0p247 :001 > u = User.find_by(email: 'drew.j.wyatt@gmail.com')
  User Load (0.1ms)  SELECT "users".* FROM "users" WHERE "users"."email" = 'drew.j.wyatt@gmail.com' LIMIT 1
 => #<User id: 1, first_name: "Drew", last_name: "Wyatt", email: "drew.j.wyatt@gmail.com", password_digest: "$2a$10$gPW4PHLZgT5o2OqTlLJt0ObsdfFlnDKxSAuYHIOntaPx...", created_at: "2014-05-03 02:24:26", updated_at: "2014-06-23 01:06:20">
2.0.0p247 :002 > u.password_digest
 => "$2a$10$gPW4PHLZgT5o2OqTlLJt0ObsdfFlnDKxSAuYHIOntaPxDZSxIQrC6"

user model (has secure password is what triggers the bcrypt hashing)

class User < ActiveRecord::Base
  validates :email, presence: true, uniqueness: true
  validates :first_name, :last_name, :phone, :address, :city, :state, :zip, presence: :true
  validates_with UserValidator

  has_secure_password
  has_many :orders

  has_many :commissions, class_name: Order, foreign_key: :distributor_id

  belongs_to :distributor_level
  belongs_to :referred_by, class_name: User
end
Community
  • 1
  • 1
drewwyatt
  • 5,989
  • 15
  • 60
  • 106
  • It might help to show how the `User#password=` and `User#password_confirmation=` methods are defined just to make absolutely sure they're getting hashed and not saved in the database as plain text. – Austin Mullins Jun 23 '14 at 01:22
  • Why are you checking `request.post?` instead of creating a RESTful controller and routes? I'm curious if you're actually getting a different HTTP method and this is short-circuiting on the conditional. – coreyward Jun 23 '14 at 01:40
  • @AustinMullins just added an update that will (hopefully) answer your question. – drewwyatt Jun 23 '14 at 01:44
  • @coreyward Ignorance (probably)? Though, I am confident request.post? is being triggered. After adding `if user.save` validation is being triggered (in the event of passwords not matching). Also the `updated_on` timestamp is being updated, and the redirect is fired. That being said, I am totally open to any suggestions/improvements you have to offer. – drewwyatt Jun 23 '14 at 01:47

0 Answers0