Add options to expire confirmation tokens

With this patch, functionality is added to expire the confirmation tokens that are being sent by email. For example, if a token is valid for 3 days only, it cannot be used for confirmation on the 4th day.
2026-04-28 03:00:29 -04:00 · 2012-07-09 14:43:12 +02:00
parent 8463c6dce4
commit 87f2fa9767
9 changed files with 120 additions and 11 deletions
--- a/lib/devise.rb
+++ b/lib/devise.rb
@@ -104,6 +104,10 @@ module Devise
  mattr_accessor :allow_unconfirmed_access_for
  @@allow_unconfirmed_access_for = 0.days

+  # Time interval the confirmation token is valid. nil = unlimited
+  mattr_accessor :expire_confirmation_token_after
+  @@expire_confirmation_token_after = nil
+
  # Defines which key will be used when confirming an account.
  mattr_accessor :confirmation_keys
  @@confirmation_keys = [ :email ]
@@ -199,7 +203,7 @@ module Devise
  # to provide custom routes.
  mattr_accessor :router_name
  @@router_name = nil
-  
+
  # Set the omniauth path prefix so it can be overriden when
  # Devise is used in a mountable engine
  mattr_accessor :omniauth_path_prefix
--- a/lib/devise/models/confirmable.rb
+++ b/lib/devise/models/confirmable.rb
@@ -19,6 +19,8 @@ module Devise
    #     db field to be setup (t.reconfirmable in migrations). Until confirmed new email is
    #     stored in unconfirmed email column, and copied to email column on successful
    #     confirmation.
+    #   * +expire_confirmation_token_after+: the time before a sent confirmation token becomes invalid.
+    #     You can use this to force the user to confirm within a set period of time.
    #
    # == Examples
    #
@@ -28,6 +30,8 @@ module Devise
    #
    module Confirmable
      extend ActiveSupport::Concern
+      # TODO: is this a good idea?
+      include ActionView::Helpers::DateHelper

      included do
        before_create :generate_confirmation_token, :if => :confirmation_required?
@@ -118,7 +122,6 @@ module Devise
        end
        headers
      end
-
      protected

        # A callback method used to deliver confirmation
@@ -156,12 +159,34 @@ module Devise
          confirmation_sent_at && confirmation_sent_at.utc >= self.class.allow_unconfirmed_access_for.ago
        end

+        # Checks if the user confirmation happens before the token becomes invalid
+        #
+        # Examples:
+        #
+        #   # expire_confirmation_token_after = 3.days and confirmation_sent_at = 2.days.ago
+        #   confirmation_period_expired?  # returns false
+        #
+        #   # expire_confirmation_token_after = 3.days and confirmation_sent_at = 4.days.ago
+        #   confirmation_period_expired?  # returns true
+        #
+        #   # expire_confirmation_token_after = nil
+        #   confirmation_period_expired?  # will always return false
+        #
+        def confirmation_period_expired?
+          self.class.expire_confirmation_token_after && (Time.now > self.confirmation_sent_at + self.class.expire_confirmation_token_after)
+        end
+
        # Checks whether the record requires any confirmation.
        def pending_any_confirmation
-          if !confirmed? || pending_reconfirmation?
+          if !confirmation_period_expired? && (!confirmed? || pending_reconfirmation?)
            yield
          else
-            self.errors.add(:email, :already_confirmed)
+            # TODO: cache this call or not?
+            if confirmation_period_expired?
+              self.errors.add(:email, :confirmation_period_expired, period: time_ago_in_words(self.class.expire_confirmation_token_after.ago))
+            else
+              self.errors.add(:email, :already_confirmed)
+            end
            false
          end
        end
@@ -235,7 +260,7 @@ module Devise
          find_or_initialize_with_errors(unconfirmed_required_attributes, unconfirmed_attributes, :not_found)
        end

-        Devise::Models.config(self, :allow_unconfirmed_access_for, :confirmation_keys, :reconfirmable)
+        Devise::Models.config(self, :allow_unconfirmed_access_for, :confirmation_keys, :reconfirmable, :expire_confirmation_token_after)
      end
    end
  end
--- a/lib/generators/templates/devise.rb
+++ b/lib/generators/templates/devise.rb
@@ -92,6 +92,14 @@ Devise.setup do |config|
  # the user cannot access the website without confirming his account.
  # config.allow_unconfirmed_access_for = 2.days

+  # A period that the user is allowed to confirm their account before their token
+  # becomes invalid. For example, if set to 3.days, the user can confirm their account
+  # within 3 days after the mail was sent, but on the fourth day their account can't be
+  # confirmed with the token any more
+  # Default is nil, meaning there is no restriction on how long a user can take before
+  # comfirming their account.
+  # config.expire_confirmation_token_after = 3.days
+
  # If true, requires any email changes to be confirmed (exactly the same way as
  # initial account confirmation) to be applied. Requires additional unconfirmed_email
  # db field (see migrations). Until confirmed new email is stored in
@@ -125,7 +133,7 @@ Devise.setup do |config|
  # The time you want to timeout the user session without activity. After this
  # time the user will be asked for credentials again. Default is 30 minutes.
  # config.timeout_in = 30.minutes
-  
+
  # If true, expires auth token on session timeout.
  # config.expire_auth_token_on_timeout = false