Rails: Steps to update Devise 3.0.2 to Devise 3.1.0
The other day I was absent-mindedly updating the gems for a Rails project. Ran bundle outdated. Took a quick look at the list and ran bundle update. Whoops! Crash!
What I’d failed to notice was the update from Devise 3.0.2 to 3.1.0
A quick trip through Google came up with several explanations for why the changes. Here’s a good summary: Devise 3.1: Now with more secure defaults.
But what specifically needed to be modified (and for-petes-sake get my app running again)?
Here’s the list of the steps I took. Your mileage may vary depending on how much customization you’re done to the devise set-up.
1. Add the new secret key.
Generate a secret key using rake secret.
config/initializers/devise.rb, add the following:
# Added with Devise 3.1
# The secret key used by Devise. Devise uses this key to generate
# random tokens. Changing this key will render invalid all existing
# confirmation, reset password and unlock tokens in the database.
config.secret_key = PRIVATE_DATA['secret_key']
You’ll notice I have the actual key value stored in a file
private.yml that’s listed in
.gitignore. If you have your key in a public repository, you might consider moving it out.
2. Update mailer views to use the new
confirmation_url(@resource, :confirmation_token => @resource.confirmation_token)
New: confirmation_url(@resource, :confirmation_token => @token)
edit_password_url(@resource, :reset_password_token => @resource.reset_password_token)
New: edit_password_url(@resource, :reset_password_token => @token)
Something similar for
unlock_instructions.html.erb if you’re using the unlock feature.
3. Check the controllers if you’ve created any overriding methods. I have several but they were still fine.
4. Update the default path the user is sent to after confirmation.
I have a custom sign-in form on a lightbox so I needed to override the path the user is now being being sent to after the confirmation. If you’ve moved or replaced the standard sign-in form, you might need to do the same. The method to override is
after_confirmation_path_for in the confirmations controller.
In your local
confirmations_controller.rb (mine is
app/controllers/local_devise/confirmations_controller.rb), add the following:
# The path used after confirmation.
def after_confirmation_path_for(resource_name, resource)
dashboard_path # go to dashboard instead of default sign-in view
5. Update the text of the flash message displayed after the confirmation is successful.
confirmed: 'Your account was successfully confirmed. Please sign in.
6. Restart the app and try it out.
Turned out to be no big deal and I’m all for adding more security. (Just could have saved myself a few moments of panic if I’d been paying more attention. Note to self.)
Helpful? I get something wrong? Please leave me a comment.