在Rails中找不到Authlogic用户的易腐令牌

时间:2013-01-11 01:10:33

标签: ruby-on-rails-3 authlogic

我在我的Rails应用程序中使用Authlogic,我无法弄清楚为什么有时根据易腐令牌找不到用户。它通常有效,但有时它不会。我使用了这个code,以便在能够登录之前验证用户。但是,例如,现在,我正在查看一个示例,即使易受影响的令牌找不到用户,即使我在DB中查找用户,易腐令牌与用户匹配。

过程是这样的:

在users_controller #create 

@user.deliver_verification_instructions!(@subdomain)
用户模型中的

def deliver_verification_instructions!(subdomain)
  reset_perishable_token!
  Notifier.verification_instructions(self, subdomain).deliver!
end

在我的邮件程序中(Notifier.rb)

# email on new user registration to verify user
def verification_instructions(user,subdomain)
  @user = user
  @subdomain = subdomain
  @url  = "http://#{@subdomain.name}.foobar.com/user_verifications/#{@user.perishable_token}"
  sent_on       Time.now
  mail(:to => "#{user.first_name} <#{user.email}>",
    :subject => "Email Verification",
    :from => 'Foo <info@foobar.com>') do |format|
    format.text
    format.html
  end
end
电子邮件视图中的

Please click the following link to verify your email address:                                           
<%= @url %>
<_>在User_verifications控制器

class UserVerificationsController < ApplicationController
  before_filter :load_user_using_perishable_token

def show
  @subdomain = Subdomain.find_by_user_name(current_subdomain)

  if @user
    @user.verify!
    flash[:notice] = "Thank you for verifying your account. You may now login."
  end
  redirect_to home_path
end

private
  def load_user_using_perishable_token
    @user = User.find_using_perishable_token(params[:id])
    flash[:notice] = "Unable to find your account." unless @user
  end
end

代码有时会返回“无法找到您的帐户”。这意味着即使电子邮件中的URL中的令牌与我在数据库中看到的令牌匹配,也找不到易腐令牌。

当我查看Heroku上的日志时,我看到了它:

2013-01-11 00:10:01+00:00 app web.1     - - Started GET "/user_verifications/lTpNRnjDw4WbyAMUyw6" for 10.253.207.217/ip-10-253-207-217.eu-west-1.compute.internal at 2013-01-11 00:10:01 +0000
2013-01-11 00:10:02+00:00 heroku router - - at=info method=GET path=/user_verifications/lTpNRnjDw4WbyAMUyw6 host=mvfd.foobar.com fwd=10.253.207.217/ip-10-253-207-217.eu-west-1.compute.internal dyno=web.1 queue=0 wait=0ms connect=10ms service=1325ms status=302 bytes=96
2013-01-11 00:10:02+00:00 app web.1     - - cache: [GET /user_verifications/lTpNRnjDw4WbyAMUyw6] miss
2013-01-11 00:10:02+00:00 app web.1     - -   Processing by UserVerificationsController#show as HTML
2013-01-11 00:10:02+00:00 app web.1     - -   Parameters: {"id"=>"lTpNRnjDw4WbyAMUyw6"}
2013-01-11 00:10:02+00:00 app web.1     - - Redirected to http://mvfd.foobar.com/home
2013-01-11 00:10:02+00:00 app web.1     - - Completed 302 Found in 1008ms

感谢您提供的任何帮助!

1 个答案:

答案 0 :(得分:2)

默认情况下,Authlogic会在10分钟后过期易损令牌(为了安全起见),因此有些用户可能会在密码重置过期后跟踪密码重置链接。

您可以在用户模型中更改此设置:

class User < ActiveRecord::Base
  acts_as_authentic do |config|
    config.perishable_token_valid_for = 1.hour
  end
end

https://github.com/binarylogic/authlogic/blob/master/lib/authlogic/acts_as_authentic/perishable_token.rb#L15-L25

或者,将不同的到期值传递给控制器​​中的find_using_perishable_token方法:

@user = User.find_using_perishable_token(params[:id], 1.hour)

https://github.com/binarylogic/authlogic/blob/master/lib/authlogic/acts_as_authentic/perishable_token.rb#L55-L63

请务必考虑根据应用程序的安全要求增加到期值的风险。

相关问题
最新问题