Devise: How do I invalidate or cancel an email confirmation token?

0
votes

In Devise 2.2.3 and Rails 3.2.x, I want to create a routine whereby users can manually invalidate a confirmation token/email that they may have sent to the wrong email address.

I'm thinking I need to nullify the unconfirmed email and the confirmation token. Is this right?

I don't see anything on Google or the Devise documentation about this procedure.

Scenario:

  1. Existing user changes their email.
  2. User realizes they just sent an email to their ex-wife. : ) Or whatever.
  3. User doesn't want ex to have control over their account.
  4. User quickly cancels the procedure, thereby protecting their security.

Thanks!

3
ruby-on-railssecurityemaildevise

3 Answers

5
votes

Since I don't want to unconfirm the user, I ended up doing this:

def cancel_change_email!
  self.confirmation_token = nil
  self.unconfirmed_email = nil
  self.save!
end

Seems to work. I threw this method into a module I'm including into the User model, but you can put it right into the user model if that's how you roll. I guess this is easy enough, but I kinda figured it'd be built in to Devise.

2
votes

I don't think Devise provides a method for it, but you can do it yourself like this:

user = User.find(1)
user.confirmation_token = nil
user.confirmed_at = nil
user.save!
1
votes

Yes, you can just manually nil stuff out in some sort of callback and then resend the confirmation instructions. But, you can also achieve this using Devise's support for reconfirmable, which can be used when a user changes their email address. If this is set the user is required to "reconfirm" their account, and you can even delay the email change until they successfully confirm again.