Rails: Steps to update Devise 3.0.2 to Devise 3.1.0

The other day I was absent-mindedly updating the gems for a Rails project. Ran bundle outdated. Took a quick look at the list and ran bundle update. Whoops! Crash!

What I’d failed to notice was the update from Devise 3.0.2 to 3.1.0

A quick trip through Google came up with several explanations for why the changes. Here’s a good summary: Devise 3.1: Now with more secure defaults.

But what specifically needed to be modified (and for-petes-sake get my app running again)?

Here’s the list of the steps I took. Your mileage may vary depending on how much customization you’re done to the devise set-up.

1. Add the new secret key.

Generate a secret key using rake secret.

In config/initializers/devise.rb, add the following:

You’ll notice I have the actual key value stored in a file private.yml that’s listed in .gitignore. If you have your key in a public repository, you might consider moving it out.

2. Update mailer views to use the new @token value.

In app/views/devise/mailer/confirmation_instructions.html.erb:

Old: confirmation_url(@resource, :confirmation_token => @resource.confirmation_token)
New: confirmation_url(@resource, :confirmation_token => @token)

In app/views/devise/mailer/reset_password_instructions.html.erb:

Old: edit_password_url(@resource, :reset_password_token => @resource.reset_password_token)
New: edit_password_url(@resource, :reset_password_token => @token)

Something similar for unlock_instructions.html.erb if you’re using the unlock feature.

3. Check the controllers if you’ve created any overriding methods. I have several but they were still fine.

4. Update the default path the user is sent to after confirmation.

I have a custom sign-in form on a lightbox so I needed to override the path the user is now being being sent to after the confirmation. If you’ve moved or replaced the standard sign-in form, you might need to do the same. The method to override is after_confirmation_path_for in the confirmations controller.

In your local confirmations_controller.rb (mine is app/controllers/local_devise/confirmations_controller.rb), add the following:

5. Update the text of the flash message displayed after the confirmation is successful.

In config/locales/devise.en.yml:

6. Restart the app and try it out.

Turned out to be no big deal and I’m all for adding more security. (Just could have saved myself a few moments of panic if I’d been paying more attention. Note to self.)

Helpful? I get something wrong? Please leave me a comment.