raails devise_token_auth gem，如何设置密码重置链接？

Question

I have a problem for using password reset function of this gem. https://github.com/lynndylanhurley/devise_token_auth

This is from the document.

/password/edit     GET  

"Verify user by password reset token. This route is the destination URL for password reset confirmation. This route must contain reset_password_token and redirect_url params. These values will be set automatically by the confirmation email that is generated by the password reset request."

When users forget theirs passwords, they can enter their registered email, and they will receive a password reset link via email.

POST : https://example.com/api/auth/password

params = email and redirect link ( https://example.com/api/auth/password/edit )

I can send a password reset link via email, but when I click the link or "Change my password" in the email, it jump to the redirect address with token.

And it shows the "The page you were looking for doesn't exist."

This might be routes errror or something, but I don't know. I am not even sure if I should set "/password/edit" for redirect link.

This is the related link for the github https://github.com/lynndylanhurley/devise_token_auth/issues/604

Am I missing something, or should I set a different address for redirect link part?

Answer 1

The flow of the devise_token_auth reset password feature is that, it has three API's

1. A post call for sending reset password token,
2. A get request for getting authentication headers
3. A patch call for changing the password

In post you will send the email and redirect url, this will call create method in the DeviseTokenAuth::PasswordsController, which creates a reset password token and sends it in the email.

The link in the email will call to the edit method of DeviseTokenAuth::PasswordsController, where it generates the authentication header and redirects to the redirect url which u have sent in the previous request with these authentication headers as query string(url parameters)

Use these authentication headers to patch request to the update method in the DeviseTokenAuth::PasswordsController, with password and password_confirmation as attributes.

the password will be changed.

Answer 2

As noted above, devise_token_auth has three API's calls to make for resetting a password.

1. A POST call to send a Passsword Reset Email

 POST /auth/password
 Params: 'email', 'redirect_url'

Eg:

curl -v -H 'Content-Type: application/json' -H 'Accept: application/json' -X POST https://myapp.com/auth/password -d '{"email":"foo@gmail.com", "redirect_url": "https://myapp.com/auth/sign_in"}'

Note that the redirect_url given must correspond to the endpoint you want the user taken to for confirming and resetting their password.

Eg if wanting redirect to somewhere within an iOS app, use the URL for that app scheme in the redirect_url definition. Eg to manually do this on iOS:

curl -v -H 'Content-Type: application/json' -H 'Accept: application/json' -X POST https://myapp.com/auth/password -d '{"email":"foo@gmail.com", "redirect_url": "myappStoreAppName://auth/password/edit"}'

2. A GET call to verify the password reset token (clicked in email)

GET /auth/password/edit
Params: 'password_reset_token', 'redirect_url'

E.g. via our iOS app would produce an email link like this: https://myapp.com/auth/password/edit?config=default&redirect_url=myappStoreName%3A%2F%2Fauth%2Fpassword%2Fedit&reset_password_token=Qv6mkLuoy9zN-Y1pKghB

If this is from a web app, the 'redirect_to' link should point to a form where a password and password_confirmation form can be filled out. If the password reset email link points to a mobile app, it's up to that app to create the password reset form.

Most important in this step is knowing that the client making the request will get back an Access-Token HEADER from the Rails app.

This Access-Token needs to be saved, because it's what the client will use in the next request to keep the user authenticated while the user changes their password.

3. A PUT call to update the user's password

PUT /auth/password
Head: 'uid: VALUE', 'client: VALUE', 'access-token: VALUE', 'token-type: Bearer'
Params: 'password', 'password_confirmation'

Note the HEAD values that need to be supplied for this PUT call. These ensure our (now authenticated user) has permission to execute a change of password, and ensure that our user can continue to remain authenticated even after changing their password.

Eg via curl:

curl -v -H 'Content-Type: application/json' -H 'uid: foo@gmail.com' -H 'client: U9FIDbiDbYVulsi1dBpxOQ' -H 'access-token: JbGQi97FTAwsW4n6SZ9aYQ'  -H 'Accept: application/json' -X PUT https://myapp.com/auth/password -d '{"password": "foobar", "password_confirmation": "foobar"}'