rails devise reset password token is replaced with user's email only in production

Question

I use rails 3 and devise 3.0.3. My devise views and controllers are mostly default. Here is PasswordsController:

class PasswordsController < Devise::PasswordsController
  layout "application_new"

  def new
    flash.clear
    super
  end

  def create
    self.resource = resource_class.send_reset_password_instructions(resource_params)

    if successfully_sent?(resource)
      respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name))
    else
      flash[:notice] = t("errors.no_user")
      respond_with(resource)
    end
  end

  def update
    self.resource = resource_class.reset_password_by_token(resource_params)

    if resource.errors.empty?
      resource.unlock_access! if unlockable?(resource)
      sign_in(resource_name, resource)
      respond_with resource, location: after_resetting_password_path_for(resource)
    else
      flash[:notice] = resource.errors.full_messages
      respond_with(resource)
    end
  end
end

And here is edit password form:

= form_for resource, as: resource_name, url: password_path(resource_name), html: { method: :put } do |f|
  h2 = t('signup.password_recovery')
  = f.hidden_field :reset_password_token
  .form-group
    = f.label :password, t("forms.new_password_label")
    = f.password_field :password, required: true, class: "form-control"
  .form-group
    = f.label :password_confirmation, t("forms.password_confirmation_label")
    = f.password_field :password_confirmation, required: true, class: "form-control"
  = f.submit t('users.account.save'), class: 'btn btn-fill orange'

Here's the mailer template:

= raw edit_password_url(@resource, reset_password_token: @resource.reset_password_token)

When I try to reset user's password, it works perfectly well in development. Which means, I get a letter with reset link, which contains reset password token in parameters and leads to edit password page with appropriate form and hidden field with aforementioned token in it.

In production, I get similar letter containing a reset link with reset password token in parameters (it is always right token I double checked it); however, when I open edit password page, I see user's email in hidden reset password token field instead of the token itself. I don't understand how it gets there. Any suggestions?

PS I've already seen this topic Rails 4 + Devise: Password Reset is always giving a "Token is invalid" error on the production server, but works fine locally. it isn't the case, because I get right token in parameters, the problem is that somehow I get user's email instead of the token in my form.

That's what I expect to see and what I get in development:
<input id="user_reset_password_token" name="user[reset_password_token]" type="hidden" value="KyFVbsSUyAzsntDg4Dwf">

That's what I get in production:
<input id="user_reset_password_token" name="user[reset_password_token]" type="hidden" value="my_email@gmail.com">

Answer 1

I found the root of the problem, it didn't have anything to do with Rails actually. Safari just autofilled that hidden input with my email. I solved that thanks to this discussion Safari autofills hidden "reset password token" input .