Clearance: change user password

Question

I am using gem clearance for user authentication, but now I encountered problems with implementing a 'change password' link. This is what I have:

    <a href="<%= edit_user_password_path(current_user) %>">...</a>

but in Clearance::passwords_controller we have following:

    before_filter :forbid_missing_token, only: [:edit, :update]
    ...
      def forbid_missing_token
        if params[:token].to_s.blank?
          flash_failure_when_forbidden
          render template: 'passwords/new'
        end
      end

So it renders a new template instead of edit. What is this :token for? How can I pass it to the controller? Where can I get it?

score 1 · Accepted Answer · answered Jun 04 '15 at 02:36

The token is the password reset token. That edit password page is intended to be used by the user to complete the "forgot password" workflow. The password reset token is generated when the user clicks "forgot password" and supplies their email address. It's stored on the user record.

The user receives an email that links them to the edit password page. The reset token is included as a parameter in that link.

I think the resource name in use here (password) is misleading. It could more accurately be password_reset which might eliminate this confusion, I think. If you want to implement a standard password change form (not a password reset), I'd suggest a separate controller for that.

Why is there both #new and #edit? Shouldn't #new be for reset and #edit for editing? — ciemborowicz, Feb 23 '22 at 12:14

Clearance: change user password

1 Answers1