Comments on: Devise 3.1: Now with more secure defaults

By: HappyNoff

HappyNoff — Tue, 10 Sep 2013 09:25:00 +0000

Just a note, the article is missing the Devise tag 😉

By: Johnny

Johnny — Mon, 19 Aug 2013 17:16:00 +0000

Why would the user’s email randomly be in the parameters?

By: josevalim

josevalim — Wed, 14 Aug 2013 05:49:00 +0000

In reply to Steven Harman.

Steven, if you are sending the e-mail via the interface, there is nothing you can do. One would argue that your current approach is the most correct one, as you are effectively testing the proper e-mail is being sent too.

In any case, you can always send the e-mail manually, which gives you access to the token. For recoverable, here is what you would call: https://github.com/plataformatec/devise/blob/master/lib/devise/models/recoverable.rb#L47

By: Steven Harman

Steven Harman — Wed, 14 Aug 2013 02:28:00 +0000

In one of my apps I have some feature specs that relied on grabbing the confirmation/reset_password tokens directly off of the `User` in order to generate the correct URLs for confirming or resetting a password. Those specs suddenly broke.

For now, I’ve resorted to extracting the “raw” tokens out of the sent emails. Is there a better way to do this? https://gist.github.com/stevenharman/6227508

By: josevalim

josevalim — Tue, 13 Aug 2013 18:13:00 +0000

In reply to Vermin. It depends on how he can access the confirmation e-mail. If he can access the target inbox, then surely. As well if he's sniffing the target network. In those cases, there is nothing we can do. Now, in case he was mistakenly sent a confirmation e-mail (for example, reconfirmable), there is nothing he can do.

By: Vermin

Vermin — Tue, 13 Aug 2013 17:58:00 +0000

If the attacker can access the confirmation e-mail, can’t he just confirm the account and then reset the password to get access?