lib/generators/authkit/templates/app/controllers/email_confirmation_controller.rb in authkit-0.5.0 vs lib/generators/authkit/templates/app/controllers/email_confirmation_controller.rb in authkit-0.7.0
- old
+ new
@@ -1,11 +1,9 @@
class EmailConfirmationController < ApplicationController
- before_filter :require_login
- before_filter :require_token
+ before_action :require_login
+ before_action :require_token
- respond_to :html
-
def show
if current_user.email_confirmed
# Do not automatically log in the user
flash[:notice] = "Thanks for confirming your email address"
@@ -31,12 +29,11 @@
# brute-force a confirmation. By default this gains the attacker nothing.
#
# It is possible to consider failed confirmation tokens failed attempts and
# lock the account.
def require_token
- verifier = ActiveSupport::MessageVerifier.new(Rails.application.config.secret_key_base)
valid = params[:token].present? && current_user.confirmation_token.present?
- valid = valid && verifier.send(:secure_compare, params[:token], current_user.confirmation_token)
+ valid = valid && ActiveSupport::SecurityUtils.secure_compare(params[:token], current_user.confirmation_token)
valid = valid && !current_user.confirmation_token_expired?
deny_user("Invalid token", root_path) unless valid
end
end