After upgrading your Rails version, "forgot password" is no longer working for you - you can send the forgot password link, but when you follow the link it always says it's invalid.
We encountered this when upgrading to Rails 8. The only thing we found in the release notes or changelog that appeared related was about 7.1, but we were on 7.1 for a while, and did not encounter the problem with 7.1 or 7.2 - only when we upgraded to 8.0.
Switch from find_by to find_by_password_reset_token. We had...
@user = User.find_by(password_reset_token: params[:token])... and the problem was fixed when we switched to:
@user = User.find_by_password_reset_token(params[:token])This might seem counter-intuitive, especially if you use rubocop, because rubocop will flag it:
Use `find_by` instead of dynamic `find_by_password_reset_token`. (convention:Rails/DynamicFindBy)
It doesn't recognize that find_by_password_reset_token is actually a method rather than a "DynamicFindBy,"
because find_by_password_reset_token is defined in a somewhat unusual way:
# Only generate tokens for records that are capable of doing so (Active Records, not vanilla Active Models)
if reset_token && respond_to?(:generates_token_for)
generates_token_for :"#{attribute}_reset", expires_in: 15.minutes do
public_send(:"#{attribute}_salt")&.last(10)
end
class_eval <<-RUBY, __FILE__, __LINE__ + 1
silence_redefinition_of_method :find_by_#{attribute}_reset_token
def self.find_by_#{attribute}_reset_token(token)
find_by_token_for(:#{attribute}_reset, token)
end
silence_redefinition_of_method :find_by_#{attribute}_reset_token!
def self.find_by_#{attribute}_reset_token!(token)
find_by_token_for!(:#{attribute}_reset, token)
end
RUBY
endIn other words, find_by_password_reset_token just delegates to find_by_token_for(:#{attribute}_reset, token),
where attribute is password. If you switch to find_by_token_for(:password_reset, token) then the rubocop
warning will go away, since that doesn't fit the warning for conventions/DynamicFindBy:
@user = User.find_by_token_for(:password_reset, params[:token])But since find_by_token_for(:password_reset, token) feels a little bit hard to remember (or ugly to repeat several times)
we decided to add a method to the User class, find_via_password_reset_token, and in that method we use
the find_by_token_for method:
# In your User model's public methods
def self.find_via_password_reset_token(token)
find_by_token_for(:password_reset, token)
endrubocop doesn't flag that, and it works. If you name it find_by_password_reset_token then you'll have the rubocop warning when you use the method - hence naming it find_via... instead (of course, you can name it whatever you want, as long as it doesn't match the find_by_... pattern that rubocop will flag).
Another option that you may find more self-documenting (but it requires rubocop directives):
def self.find_via_password_reset_token(token)
# rubocop:disable Rails/DynamicFindBy
find_by_password_reset_token(token)
# rubocop:enable Rails/DynamicFindBy
endMore verbose version with a comment explaining the workaround
def self.find_via_password_reset_token(token)
# This is equivalent to `User.find_by_password_reset_token`, but doesn't get the rubocop
# warning about using a dynamic method name. We have this helper because as of Rails 8
# we cannot simply do `User.find_by(password_reset_token: token)` anymore (it won't find
# the user), and if we just do `User.find_by_password_reset_token` as the docs recommend,
# rubocop flags it for using `convention/DynamicFindBy`. This is a workaround for that.
find_by_token_for(:password_reset, token)
endThis section on railsdoc.github.io for Rails 8.0:
