devise_token_auth icon indicating copy to clipboard operation
devise_token_auth copied to clipboard

Published 20 hours ago verified publisher icon lynndylanhurley

current_password is not being validated while changing password

Open shashi-we opened this issue 7 years ago • 6 comments

Hello,

I am using Rails 5, Devise 4.3.0 and devise_token_auth 0.1.42.

I want to allow user to change his password on separate view. This view contains current_password, password and password_confirmation.

So, as per requirement, it should check current_password before updating the password. I've also set following as suggested in config file:

config.check_current_password_before_update = :password But it's not working. It's throwing error unknown attribute 'current_password' for User. To get rid of this error, I used this: attr_accessor :current_password

Now, when I try to update password, it's being updated but not validating current_password. If I enter wrong current_password, it's updating new password.

Any help on this would be highly appreciable.

Thanks :)

shashi-we avatar Jan 16 '18 19:01 shashi-we

+1

prasannakumar1989 avatar Apr 30 '18 23:04 prasannakumar1989

Please use update_with_password.

Might be help you by this codes.

Sorry, I was not try the problem.

Yuji-Kuroko avatar Mar 30 '20 07:03 Yuji-Kuroko

@shashi-we Think you might be using the wrong entrypoint to change user password the way you described. You should use registrations#update

rodrigovcortezi avatar Apr 27 '20 18:04 rodrigovcortezi

I'm having exactly the same problem as @shashi-we.

initializers/devise_token_auth: config.check_current_password_before_update = :password

application_controller: devise_parameter_sanitizer.permit(:account_update, keys: %i[name tin current_password])

model: attr_accessor :current_password

Then I do this request: PUT /auth/password which uses devise_token_auth/passwords#update

I get a 200 ok, regardless of sending the current_password or not. Im not sure this is the expected behaviour. Is it? Should we really just use the registrations#update? And if so why do we have the devise_token_auth/passwords#update method?

MGago avatar Nov 23 '20 15:11 MGago

I belive passwords#update handles tokenized password reset only. It should be used when user forgets password.

For changing the password with the current one, I recommend using registrations#update.

rodrigovcortezi avatar Nov 23 '20 16:11 rodrigovcortezi

@rodrigovcortezi got it! That makes sense.

I was doing a POST: /auth/password to recover password and a PATCH: /auth/password to change the password when the user was logged in. I got confused because the passwords#update, (with a PATCH: /auth/password), requires a valid access-token, so i thought this was the right way to change the password. However, now I believe you were right. You should use registrations#update to change the password and passwords#update to recover it.

Thank you very much.

MGago avatar Nov 25 '20 11:11 MGago