Reset password token mismatch issue in Devise

Question

I'm building an app using Devise. The problem I have is about the password reset process.

If the user forgets their password, enter the registered email address and send a password reset notice to that address. So far it works as expected.

problem

The password reset token received in the email does not match the password reset token generated by the application. So, when I try to reset the password from the email I received, I get the error "Token is invalid".

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

Show my code.

Gemfile

gem 'devise'
gem 'omniauth'
gem 'omniauth-google-oauth2'
gem 'omniauth-facebook'
gem 'devise-i18n'

routes.rb

  devise_for :users, controllers: {
registrations: 'users/registrations',
sessions:      'users/sessions',
confirmations: 'users/confirmations',
omniauth_callbacks: 'users/omniauth_callbacks'

}

model/user.rb

  devise :database_authenticatable, :registerable,
          :recoverable, :rememberable, :validatable, :confirmable,
          :omniauthable, omniauth_providers: %i[google_oauth2]


 def self.from_omniauth(auth)
    where(provider: auth.provider, uid: auth.uid).first_or_create do |user|
      user.email = auth.info.email
      user.password = Devise.friendly_token[0,20]
      user.skip_confirmation!
    end
  end


  def update_without_current_password(params, *options)
    params.delete(:current_password)

    if params[:password].blank? && params[:password_confirmation].blank?

      params.delete(:password)
      params.delete(:password_confirmation)
    end

    result = update_attributes(params, *options)
    clean_up_passwords
    result
  end

views/users/mailer/reset_password_instructions.html.erb

<%= link_to 'パスワードの変更を行う', edit_password_url(@resource,reset_password_token: @token) %>

=========================================

I searched many times, but I couldn't find much new information because it was only old information.

Why don't the tokens match? How can I email the generated tokens? Please help someone.

※I'm not good at English. There may be mistakes.

Answer 1

You have to create a new table for reset tokens.

schema can be like

password_reset_tokens
---------------------
id pk
reset_token unique string
user_id integer
is_active boolean
created_at datetime
updated_at datetime

whenever a user is going to request for a change password. Create an entry in this password_reset_tokens with a random reset_token string and assign a user_id to it. send this token in the email with a link and when user is going to click on it the reset token. Open the form with new password fields and when password is updated through that link then mark is_active as false.

Additional step:

You can also write a cron to expire the reset_tokens after x hours. whenever a new reset_passsword_token is generated then you can schedule a cron to expire it after x hours.