2

Recoverable function of Devise 3.4.1 on Ubuntu 14.xx generates invalid token. Impossible to change the forgotten password. I use vmware and came back to a snapshot without the security update patch of Spectre and Meltdown and I was able to change a test user password. I didn't installed anything new, no new gem.. I'm quite sure the problem comes from the security patch. There is a lot of answers about invalid token I tried them all, but why should I change a configuration that worked so fine month after month? Did someone experienced the same? I know the biggest Virus is myself but here in this case..

Here is the app/models/user.rb

class User < ActiveRecord::Base

# Include default devise modules. Others available are: # :confirmable, :lockable, :timeoutable and :omniauthable devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable, :confirmable

def send_devise_notification(notification, *args)
  devise_mailer.send(notification, self, *args).deliver_later
end

end

I tried devise_mailer.send(notification, self, *args).deliver_now but I still get non-matching token

Pierre
  • 21
  • 5
  • 1
    I can assure you that Spectre and Meltdown have nothing to do with the error you're experiencing. It's one of the most widely-used gems and here's not a blimp on the radar. https://github.com/plataformatec/devise/search?utf8=%E2%9C%93&q=Spectre&type= https://github.com/plataformatec/devise/search?utf8=%E2%9C%93&q=Meltdown&type= – Josh Brody Jan 14 '18 at 02:24
  • Have you an idea why the generated token doesn't match anymore? – Pierre Jan 14 '18 at 04:21
  • I have lots of ideas but none would be accurate because I have no idea where it's failing or how it's failing, what steps you're taking to reproduce the issue, your environment, how your initializer looks, how your controllers look, and how any user-like classes look. – Josh Brody Jan 14 '18 at 04:27
  • I will wait for the next security patch. I always keep two servers with the same app. I did a snapshot just before the apt upgrade with Spectre Meltdown patch. I remarked that the lost password process generates a non matching token on the test server, I checked the production server, saw the problem also on it, came back to the snap before the patch and was again able to change a lost password. Environment controller models are like described in the Devise gem. I will update if the problem is on my side. – Pierre Jan 14 '18 at 17:08
  • I was giving you an opportunity to provide some code :) – Josh Brody Jan 14 '18 at 17:53
  • I can give you all the gem code of devise as auto installed on my server or do you prefer to see the code that is un use in the app I did? I add the model user.rb for now and I will check all other relevant files attached to devise gem. – Pierre Jan 16 '18 at 00:33
  • can you provide a minimum working and verifiable example? https://stackoverflow.com/help/mcve – Josh Brody Jan 16 '18 at 04:27

0 Answers0