Invitation token is invalid when entering wrong length password

[PhilipAnd]

There might be a possible bug with the invitable gem.

Way to reproduce:

1. Click on the invitelink in the mail and fill out just the first password field with a long enough password.
2. A validation error is show
3. Enter a correct validated password
4. You now get the error message: "Invitation token is invalid".

I am using devise 3.4.1, devise_invitable 1.3.5

[scambra]

That case is tested here and it works: https://github.com/scambra/devise_invitable/blob/master/test/models/invitable_test.rb#L194

Did you override some method in model, or controller or view?

[PhilipAnd]

I had two overloads in the user.rb model, but I have removed them for testing purpose and the token in the url is still removed when typing the wrong password.

The token is still there in the database (as the unit test also describes), but the url is just changed from http://localhost:3000/users/invitation/accept?invitation_token={token} to http://localhost:3000/users/invitation

[scambra]

You could try to update devise_invitable, although I think nothing related has changed since 1.3.5

I have checked accept_invitation! method and find_by_invitation_token and original token is restored after find, so it should work: https://github.com/scambra/devise_invitable/blob/v1.3.5/lib/devise_invitable/model.rb#L285

I would need a test case to be able to fix it

[courtenay]

@phatzor sounds like your new-user registration form is missing a hidden parameter; like <%= form.hidden_field :invitation_token, value: params[:invitation_token] %>

[aruprakshit]

+1 .. I am facing the same issue. Now, when I am clicking the invitation link ( getting log1 and render html1 in gist) you will see the hidden field for invitation token is present there. Now I am giving wrong password in both which doesn't match.. and then the page again rendered edit form, but this time invitation token hidden field is absent. but <p> tag is showing the invitation token still there.. i used it there to debug. But I am out of luck. No idea why on second time the hidden field is not rendering.

https://gist.github.com/aruprakshit/fdd03c6a74e255393b35

[scambra]

@aruprakshit did you change something on controller? I don't see failing in tests. Also, I don't think you need this value: f.object.invitation_token, although it shouldn't change anything

[aruprakshit]

@scambra Yes, I don't need it. I added it to debug. No, I didn't override or modify edit or update action. Also you can see in the logs, which I had added, the token is missing. But, if you add bring down hidden_field inside the https://gist.github.com/aruprakshit/fdd03c6a74e255393b35#file-edit-html-erb-L10 , everything just works like a charm. This is the workaround I have now to push my feature up. But I would still like to hear back why the error was coming in my added examples.

[scambra]

I don't know why rails doesn't display the hidden field, as you see, devise invitable is setting field on f.object

[dtropp]

I had the same problem. When the validation on accepting an invitation fails, then the edit form is rendered rather than redirecting to the edit action and including the url param.

However, I realise that, while editing the form to be a .slim template, I had lost the hidden invitation_token field so it was silently creating a new User rather than loading by the token. All working fine now, but maybe something to put into Gotchas or FAQ?

[hadees]

We are having the same issue but i'm pretty sure we are using the token. The user in question has already accepted the invitation and the model reflects that.