Rails 4 + Devise: Password Reset is always giving a “Token is invalid” error on the production server, but works fine locally.

Question

I have a Rails 4 application set up to use Devise, and I\'m running a problem with password resets. I have the mailer set up, and the password reset email sends fine. The li

Answer 1

Although the accepted answer is correct, wanted to explain why this is happening so you can use it in some other cases as well. If you take a look at the method which is generating the password reset token:

def set_reset_password_token
    raw, enc = Devise.token_generator.generate(self.class, :reset_password_token)

    self.reset_password_token   = enc
    self.reset_password_sent_at = Time.now.utc
    self.save(validate: false)
    raw
end

You will see that the raw is being returned, and the enc is being saved in the database. If you are using the value from the database - enc to put into a password_reset_token in a hidden field of your form, then it will always say Token invalid as that is encrypted token. The one which you should use is the raw token.

This was done because in case some admin (or a hacker) can access the database, the admin could easily reset anyone's password by just using encrypted token, which is tried to be avoided.

Some information about this and some other changes in Devise can be found in the devise's change-log blog post or in the devise's issue discussion