Rails/Devise - forcing password reset - ruby-on-rails

I've implemented the ability to auto generate user passwords using Devise. Now when the user logs in to the system, I would like to force the user to reset the password. It seems like there is no such functionality built into Devise (please correct me if I am wrong). I can think of several ways to achieve this, but I'm sure there is a standard way of doing this.
Any tips would be appreciated.
Thanks.

Devise handles a password controller with associated views to change a user password. In application controller you can override some devise methods like after_sign_up_path , after_sign_in_path, after_confirmation_path etc with new_password_route which I remember is the router helper to change de password, not sure though. I will think that you are sending a mail with the generated password and a confirmation link. If not, what you are doing is kind of pointless. Generating a password so then the user has to change it is not right regarding UX. Just prompt the user with the desire pass at the beginning.
Good luck

Related

Can I always require confirmation with Devise on Rails?

I've been asked to implement 2FA with email codes, like you get from Steam (and many banks), after you haven't logged in for awhile. I initially thought this would have been a flag I could turn on in the Devise config, but I can't find ANY place on the internet that talks about something like this. The desired process would be to generate and email a one-time pad to enter into a confirmation screen. Every reference I've found to 2FA with Devise refers to using things like SMS or an authenticator app.
Working within the framework of Devise, it seems like this might possibly boil down to unconfirming the user every so often, maybe like every other day. That way, the next time they log in, they get another email with a new link to "re-"confirm the login. The best I can find is Warden::Manager.after_authentication to set user.confirmed_at = nil, but this doesn't seem to be doing what I want.
Thanks to a friendly person on Github, I was directed to the Devise plugin, https://github.com/Houdini/two_factor_authentication, which does exactly what I wanted. I knew someone had to have already written it!

Devise: Place a variable in the confirmation email

I am trying to customise the confirmation email in order to pass an extra variable than the resource and confirmation token.
In particular what I want is to get the existing (soon to be overridden) email of the user passed into the confirmation email so that when the user clicks on the confirmation link, the page he goes to will have the user's old email in the parameters.
I'm not sure where I will need to make this change exactly (maybe mailer view or devise mailer?) and also what is the best way to override this in my rails app without touching the devise gem at all?
Or maybe there is even a better way I can get the user's old email after he confirms on the link but, as far as I'm aware, once that happens the old email is gone for good.
Use rails generate devise:views.
This will generate all the views that Devise uses internally so you can make your modifications.
NOTE
This will generate erb templates. If you wish to use haml or anything else. Here is a tutorial on how you can go about this process.

how to seed encrypted password

I will be seeding my database with real people's names and email addresses, and inviting them to join the site by sending an email to the address that's in the database, with the link back to the site. If I use Devise's 'database_authenticable' with the site, it creates an email column and a column for an encrypted password. However, since I'm only seeding the database with an email, and not a password, I'm not sure if this will create problems.
Should I leave the password column blank? Should I create a dummy password and invite them to change it? Any recommendations?
When answering this question, please take note of my username on this site and provide the level of detail required for someone with my username (and others of similar intelligence) to understand your answer. Thank you in advance.
The simplest way to do something like this (without having to muddy around with Devise itself) is to set the password as a hidden field on your signup form and set a default value for everyone (e.g password123)
You'll need to run
rails g devise:views
To allow you to customize the devise views and change the password field as a hidden field. Then in your User model, specify what you want to set the password to, e.g
before_validation: set_default_password
def set_default_password
self.password = 'password123'
self.password_confirmation = 'password123'
end
Then modify the devise emails to inform the user what their password is and advise them to change it ASAP.
NOTE: This is certainly not the best solution, but it is probably the simplest to run without messing with the Devise code.
One other option you could check out is the devise_invitable gem...
https://github.com/scambra/devise_invitable
This allows you to send invitations to users emails, and they then set their password from there. This may not fit your exact need, but I thought it was worth mentioning.
Related SO question can be found here....
Devise: Create User without Password then Require Password to Use Account?

Confirm link creation with Ruby (on Rails)

What I’d like to achieve is a typical use case: a user enters his email address into a form. After sending the form to my application an email with a random generated link should be sent out to the user which he has to click to confirm his email address. After clicking the link the address should be marked as valid in my application.
My main questions are:
What is the best way to generate such random links?
What is the best way to map the click on such a random link to the address in my database?
Thanks :-).
It's also provided out of the box in Devise: https://github.com/plataformatec/devise
See confirmable option.
Use AuthLogic. It does all this for you.
Like #apneadiving and #Brian pointed out you have that feature in Devise and AuthLogic, but in case you need to roll out your what better way than to learn from them:
Set up a confirmations route
Set up a confirmations model
Set up a confirmations controller
The logic is to generate a random token (md5, sha1, whatever..) store it and send it.
When your confirmations controller is called you accept the confirmation for the token passed as param.

How do I implement gradual engagement using Devise and Rails 3?

I'm trying to implement a delayed-signup (aka delayed authentication aka gradual engagement) website flow using Devise + Rails.
By gradual engagement, I mean
"Don't make the user sign in until she
absolutely has to, but let her play
around and be remembered on the site"
I'm looking for a simple way to do this using devise. I feel like this is something many others have had to do, but I haven't found documentation on it.
The following approach sounds ok in my head, so I'm going to start with it:
Create users that are only "rememberable"
When certain pages are accessed, require that these users have more
data on them, like a username and
password, via something like
"before_filter :authenticate_user!" in
the appropriate controllers.
Does this approach make sense? Is there a better one? Do you have an implementation of a gradual engagement approach to signup/registration forms using Devise + Rails that you're willing to share?
I think the point of the article you gave us is to say:
only ask for sign up if necessary.
What does this mean?
Let's take an example. You're an e-commerce web site.
When does the customer has to sign up "at last"? During checkout. Never before. So you don't have to store, or remember anything about the user. Devise is never, never used here.
How do you manage the shopping cart of an unsigned in/up user? I'd say database, with session Id as primary key. Or You could store all the items ids in cookie, for later use.
In your code, if you have an action called checkout, just set in your controller a before_filter authenticate_user!, :only => [:checkout]
But maybe you have some constraints, like being able to keep your user's nickname without signing him up for example?
One alternate option is to do email-only signup, then send an email with a special link to finish registration later / bring them back to their account. There's an actively maintained tutorial on devise email-only signup at:
https://github.com/plataformatec/devise/wiki/How-To:-Email-only-sign-up
I've used this tutorial for a site I did a while back where we only asked for their email address to sign up, then later sent emails for them to complete registration / add a password.
You can keep all unsigned user's data in cookies, and transfer them to database once the user logs in, if you need to.

Resources