User account creation reset token sent by email expires immediately.

When I create a new user, the reset token expires immediately showing "Your password reset token has expired.", after redirecting to http://g.apertron.net/users/password/new?user_email=

Thanks!

Title changed from User account creation reset token sent by email resets immediately. to User account creation reset token sent by email expires immediately.

Hi,

I have the same problem using Gitlab CE 8.0.2 3df6c44e.

I had the same problem, I just requested a new password and it worked, but I can confirm it happened on 8.0.1 for me.

I can also confirm this exact problem. Using GitLab CE 8.0.2.

I create new users in the Admin panel, and the email correctly sends. However, the confirmation link immediately goes to a "Your password reset token has expired" notification on the "Forgot Password" screen at the URL "[gitlab's external URL]/users/password/new?user_email=".

Doing a request for a new password/new password reset, but the initial "set your password" link in the very first email notification is not working correctly.

I checked the config/initializers/devise.rb file and the reset value is set to 2.days, so that's correct.

Same for on CE 8.0.2 but had this problem also on previous version

Got this same issue on 8.0.3.

Also, a related issue is that inviting user using email address request them to sign-in which doesn't make sense as they don't have an account yet.

Got this same issue on GitLab 8.0.3

I looked into this. The root cause of this issue is that Devise clears the reset_password_token and reset_password_sent_at fields here. After creation of a new user, it looks like the e-mail and password has changed, and so Devise determines the reset password token is no longer necessary.

I tried working around the issue by generating the token after the save, but doing that prevents GitLab from including the reset token in the e-mail sent to the user.

Ideally, Devise would provide a way to disable the automatic clearing of the reset token for this use case. We may need to override the before_save call to do this now. Another workaround may be to restore the reset tokens after the save occurs.

I've submitted a PR for Devise:

https://github.com/plataformatec/devise/pull/3774

We may be able to make GitLab to do this.

I had the same problem with 8.1.0 With the "patch" of @stanhu, it works :-) Thanks

mentioned in merge request !2056 (merged)

Status changed to closed by merge request !2056 (merged)

mentioned in commit 7f1b60cc

mentioned in commit 3a82302f

mentioned in merge request !13144 (merged)

mentioned in commit 62216af8

mentioned in merge request !14785