signed_id cannot be secure for confirmation_email
lazaronixon opened this issue · 3 comments
lazaronixon commented
The user will receive a confirmation token, with this token he can validate any further email. I solved it by setting the email as purpose, so that token is valid only for that email.
@user = User.find_signed(params[:confirmation_token], purpose: "verify_#{params[:email]}")
stevepolitodesign commented
Thank you for your diligence here. Let me make sure I'm understanding this correctly.
- A user confirms their email address, and bookmarks the URL that they used to have it confirmed.
- A user updates their email address immediately after confirming their original email, before the URL in step 1 expires
- The user uses the URL in step 1 to confirm the new email address from step 2.
lazaronixon commented
Exactly, My final solution was @user = User.where(email: params[:email]).find_signed(params[:confirmation_token], purpose: params[:email])
This way that signed_id is valid only for that email and the signed user must have the email equals to token.
stevepolitodesign commented
Thank you for the clarification, I'll plan on addressing this soon 👍