Password reset token not found in session

[snadon]

It doesn't happen often.

Here's my Heroku log:

2024-06-27T20:55:21.567698+00:00 heroku[router]: at=info method=GET path="/password_resets/1?token=WyJnOFBIZlBzVUlFemJ0RTEyaDhVYnUzb3ZGZXhIMng0NE05UGs5UlpNdm9zPSIsIkphaDNockRvYWNWN2hMUXBzOXBVcWMycU05Yz0iXQ%3D%3D" host=www.portrait-sonore.com request_id=caf06e8f-1fb8-401a-96c3-3ede9ea9c108 fwd="166.62.222.58,172.69.214.213" dyno=web.1 connect=0ms service=1ms status=302 bytes=739 protocol=https

2024-06-27T20:55:21.634268+00:00 heroku[router]: at=info method=GET path="/password_resets/1/edit" host=www.portrait-sonore.com request_id=7f21a308-462f-4135-88f9-d2a9b4a851ed fwd="166.62.222.58,172.69.214.213" dyno=web.1 connect=0ms service=1ms status=500 bytes=2002 protocol=https

2024-06-27T20:55:21.566533+00:00 app[web.1]: {"severity":"Info","source":"lucky","timestamp":"2024-06-27T20:55:21+00:00","local":{"method":"GET","path":"/password_resets/1?token=WyJnOFBIZlBzVUlFemJ0RTEyaDhVYnUzb3ZGZXhIMng0NE05UGs5UlpNdm9zPSIsIkphaDNockRvYWNWN2hMUXBzOXBVcWMycU05Yz0iXQ%3D%3D","request_id":null}}

2024-06-27T20:55:21.567295+00:00 app[web.1]: {"severity":"Info","source":"lucky","timestamp":"2024-06-27T20:55:21+00:00","local":{"status":302,"duration":"846.26µs","request_id":null}}

2024-06-27T20:55:21.633063+00:00 app[web.1]: {"severity":"Info","source":"lucky","timestamp":"2024-06-27T20:55:21+00:00","local":{"method":"GET","path":"/password_resets/1/edit","request_id":null}}

2024-06-27T20:55:21.634529+00:00 app[web.1]: {"severity":"Error","source":"lucky","timestamp":"2024-06-27T20:55:21+00:00","error":{"class":"Exception","message":"Password reset token not found in session","backtrace":["/tmp/build_b2e0cf60/lib/lucky/src/lucky/secure_headers/set_frame_guard.cr:45:17 in 'call'","/tmp/build_b2e0cf60/lib/lucky/src/lucky/renderable.cr:130:16 in 'perform_action'","/tmp/build_b2e0cf60/lib/lucky/src/lucky/route_handler.cr:10:7 in 'call'","/tmp/build_b2e0cf60/.heroku/crystal/share/crystal/src/http/server/handler.cr:30:7 in 'call'","/tmp/build_b2e0cf60/.heroku/crystal/share/crystal/src/http/server/handler.cr:30:7 in 'call'","/tmp/build_b2e0cf60/.heroku/crystal/share/crystal/src/http/server/handler.cr:32:7 in 'call_next'","/tmp/build_b2e0cf60/.heroku/crystal/share/crystal/src/time.cr:357:5 in 'call'","/tmp/build_b2e0cf60/.heroku/crystal/share/crystal/src/http/server/handler.cr:30:7 in 'call'","/tmp/build_b2e0cf60/.heroku/crystal/share/crystal/src/http/server/handler.cr:32:7 in 'call_next'","/tmp/build_b2e0cf60/lib/lucky/src/lucky/force_ssl_handler.cr:36:8 in 'call'","/tmp/build_b2e0cf60/lib/lucky/src/lucky/request_id_handler.cr:24:5 in 'call'","/tmp/build_b2e0cf60/.heroku/crystal/share/crystal/src/http/server/request_processor.cr:51:11 in 'handle_client'","/tmp/build_b2e0cf60/.heroku/crystal/share/crystal/src/fiber.cr:141:11 in 'run'","???"]}}

[snadon]

We noticed that the error occured when the token link encodes the characters == with %3D%3D.

[jwoertink]

So now the question is, where do we put the fix, and what is that fix?

[snadon]

Removing the redirect works.

  private def redirect_to_edit_form_without_token_param
    make_token_available_to_future_actions
    # redirect to: PasswordResets::Edit.with(user_id)
    html NewPage, operation: ResetPassword.new, user_id: user_id.to_i64
  end

So the session changes when redirecting only when I click the link in the email.