signed_id cannot be secure for confirmation_email

[lazaronixon]

rails_mvp_authentication/lib/generators/rails_mvp_authentication/templates/confirmations_controller.rb.tt

Line 16 in b2e0ebd

@user = User.find_signed(params[:confirmation_token], purpose: :confirm_email)

The user will receive a confirmation token, with this token he can validate any further email. I solved it by setting the email as purpose, so that token is valid only for that email.

@user = User.find_signed(params[:confirmation_token], purpose: "verify_#{params[:email]}")

[stevepolitodesign]

Thank you for your diligence here. Let me make sure I'm understanding this correctly.

1. A user confirms their email address, and bookmarks the URL that they used to have it confirmed.
2. A user updates their email address immediately after confirming their original email, before the URL in step 1 expires
3. The user uses the URL in step 1 to confirm the new email address from step 2.

[lazaronixon]

Exactly, My final solution was @user = User.where(email: params[:email]).find_signed(params[:confirmation_token], purpose: params[:email])

This way that signed_id is valid only for that email and the signed user must have the email equals to token.

[stevepolitodesign]

Thank you for the clarification, I'll plan on addressing this soon 👍