Merge pull request #4461 from jjuliano/patch-1

Confirmation link validity is wrong in different time zone
2026-04-28 03:00:29 -04:00 · 2017-03-15 10:17:25 -03:00
parent 0c5d78e31c a3d31778c2
commit a665aada25
2 changed files with 2 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@
  * Attempt to reset password without the password field in the request now results in a `:blank` validation error.
    Before this change, Devise would accept the reset password request and log the user in, without validating/changing
    the password. (by @victor-am)
+  * Confirmation links now expire based on UTC time, working properly when using different timezones. (by @jjuliano)
 * enhancements
  * Notify the original email when it is changed with a new `Devise.send_email_changed_notification` setting.
    When using `reconfirmable`, the notification will be sent right away instead of when the unconfirmed email is confirmed.
--- a/lib/devise/models/confirmable.rb
+++ b/lib/devise/models/confirmable.rb
@@ -225,7 +225,7 @@ module Devise
        #   confirmation_period_expired?  # will always return false
        #
        def confirmation_period_expired?
-          self.class.confirm_within && self.confirmation_sent_at && (Time.now > self.confirmation_sent_at + self.class.confirm_within)
+          self.class.confirm_within && self.confirmation_sent_at && (Time.now.utc > self.confirmation_sent_at + self.class.confirm_within)
        end

        # Checks whether the record requires any confirmation.