How to change email address of a user in devise "safely"? - ruby-on-rails-3

By default, devise uses an email address for sign up and sign in.
But I want that the email address should be allowed to be changed by the user.
If I allow the user to edit the email address, and the user specifies an "incorrect" (i.e. a typo by mistake) email address and then user signs out, and the user also forgets what the typo'ed email was, now the user account is inaccessible by the user!
How to best work around this? (except for creating a separate, unchangeable username field that will always allow user to login)

You can force the user to confirm his account again if he changes his email.
Once, you updated the password of the concerned user, you need to un-confirm the user, and then re-send the confirmation email.
To unconfirm the user :
user = User.find(1)
if user.confirmed?
user.confirmed_at = nil
user.save(:validate => false)
end
To resend the email confirmation :
user = User.find(1)
user.send_confirmation_instructions
Hope this help !

Devise does this out of the box. Here is the info from the initializer:
# If true, requires any email changes to be confirmed (exactly the same way as
# initial account confirmation) to be applied. Requires additional unconfirmed_email
# db field (see migrations). Until confirmed new email is stored in
# unconfirmed email column, and copied to email column on successful confirmation.
config.reconfirmable = true
In confirmable module you may see how it works.

Related

How to connect LDAP With username and password?

I have my Ldap working the only issue i'm facing was when I try to login with email that is when I land in the else part in the below code. If my username is different from email then it throws error. i.e if my email is 'skumar#gmail.com' and my username is 'saurakumar' then it will through invalid username password error.
As internally I'm using username to make email i.e if the user login with name 'karan' then i'm expecting the email to be karan #gmail.com which is not true in many scenario and the Authentication fails. I'm looking for some solution wherein I can login either via email or via username I'll be able to authenticate user. Below is the snippet of my code. Please suggest?
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory);
ldapEnv.put(Context.PROVIDER_URL, url);
ldapEnv.remove(Context.SECURITY_PROTOCOL);
if (email == null) {
lContext = new InitialLdapContext(ldapEnv, null);
entryResult = searchUserEntry(lContext, user, searchCtrls);
final String usrDN = ((Context) entryResult.getObject()).getNameInNamespace();
lContext.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
lContext.addToEnvironment(Context.SECURITY_PRINCIPAL, usrDN);
lContext.addToEnvironment(Context.SECURITY_CREDENTIALS, pass);
lContext.reconnect(null);
} else {
ldapEnv.put(Context.SECURITY_PRINCIPAL, email);
ldapEnv.put(Context.SECURITY_CREDENTIALS, credentials);
lContext = new InitialLdapContext(ldapEnv, null);
return lContext;
searchUserEntry(lContext, user, searchCtrls);
}
Normally this is a 3-step process:
Bind to LDAP as an administrative user. Note that this should not be the master user defined in the configuration file: that's for OpenLDAP's use itself. Instead it should be a user mentioned in the DIT that has the appropriate search access for the next step.
Search for the user via some unique attribute, e.g. in your case email.
Using the found DN of the user and the password he specified, attempt to bind as that user (with the reconnect() method, after changing the environment of the context appropriately).
If all that succeeds, you have a login success. If (2) or (3) fail, you have a failure, and note that you should not tell the user which it was: otherwise you are leaking information to attackers. You should not mention whether it was the username (email) or the password that was wrong.

ServiceStack AuthFeature Allow Email Address for UserName

I would like to use an email address as the UserName. I can "/register" with only Email and Password (UserName is Nullable in the AuthUser table), but cannot then "/authenticate" because UserName is NULL. If I copy Email over to UserName in the AuthUser table, I can successfully "/authenticate".
The problem is that an email address has invalid characters according to the validation RegEx in the IsValidUsername method of the AuthFeatureExtensions class and so, you can't "/register" with UserName = email address.
I'm stuck on how to override that if possible?
Thanks,
Jay
ServiceStack Authentication already naturally supports authenticating by Email. When you authenticate with a Username that contains a '#' the ServiceStack will check the Email field instead of the Username.
So don't copy anything over, when you register just leave the Email in the Email field and the Username blank and it will work.

Laravel 4, reset password only with token (howto check it and get user)

What is the best way to reset password only with token?
Now it mades with token and email, I want to get an email by checking tocket in reminders table.
Thanks!
Update
Resolved this by:
$email = DB::table(Config::get('auth.reminder.table'))->where('token', $token)->pluck('email');
Here's how I do password resets.
User clicks Forgot Password link and is taken to a form with one field for email.
They enter their registered email address and I check the email exists in the DB. If it does, I store a random reset code for that user using Str::random(60). I then save the user and email them a link with a reset code (eg. http://domain.com/reset/CODE).
User clicks the link and is taken to the URL above which checks the CODE. If the CODE exists in the DB, the password for the matching user is reset to something random using Str::random(10) and this new password is mailed to the user.
Not sure if this is right/wrong, but it works for me.

Devise case insensitive email when login

I'm using postgresql
Devise stores emails in db with downcase:
config.case_insensitive_keys = [ :email ]
But when i login with uppercased email - i got error that email is wrong.
I find solition for this, but this have 1 trouble:
def self.find_for_authentication(conditions = {})
# Allow to log in with case insensitive email
conditions[:email].downcase!
end
1) When I try to logged in with wrong uppercased email I got error and my email with downcase. (logged with AAA#bbb.CCC, got aaa#bbb.ccc, but i need to show AAA#bbb.CCC). How can I change this behaviour ?
I am not sure I get you but you should be able to access the original email
you supplied by
conditions[:email]
Or once logged in you could access the email of the logged in user via
self.email.
Let me know if this helps
Solution was really simple. What you need is just copy params hash and change email in this hash when login, but when user got exception - we just return original hash with entered params
def self.find_for_authentication(conditions = {})
# Allow to log in with case insensitive email
new_hash = conditions.dup
new_hash[:email] = conditions[:email].downcase
where(new_hash).first
end

Rails 3/Devise - Change Error Message for Password Reset

I am working with a Rails 3 App and am needing to adjust the error message on the password resent view. If a user types in an email address and submits it, currently, the app will display this error message:
Email not found
I am needing to change this error message to this:
We don't have an account with that e-mail address. Maybe you used another address?
I know that you can adjust this in the Devise YML file, but am not sure how to do this... any suggestions?
Working Code
class PasswordsController < Devise::PasswordsController
def create
user = User.find_by_email(params[:user][:email])
if user.nil?
flash.now[:notice] = "We don't have an account with that e-mail address. Maybe you used another address?"
end
super
end
end
You could try using a before_filter that checks if the email exists in the datbase and if not the it redirects you to the password reset form with a flash notice