switched to ssl and devise tokens are invalid

We just switched our rails 3 app over to SSL, and later noticed that password recovery tokens aren't working in production any longer. It says "invalid token" when a user tries to reset their password using the emailed link.

I'm using rails 3.0.0, devise 1.3.4, and our user model has:

devise :database_authenticatable, :invitable, :registerable,
       :recoverable, :rememberable, :trackable, :validatable

I'm not using anything like ssl_requirement, because we just did ssl universally across the app. I expired old tokens to make sure it wasn't somehow 开发者_StackOverflow中文版not expiring old tokens or something. I'm baffled.

---

This was a problem with our nginx config, and entirely unrelated to Devise. But in case anyone else ever finds themselves in a similar position, here's what went down. We set up nginx to redirect the plain http urls to https.. Specifically we had a double rewrite when someone went from domain.com to www.domain.com to https://www.domain.com, and the reset_code was getting added to the end a second time so that reset_code was coming through to the app as ?reset_code=12345?reset_code=12345.

So we changed our nginx config so:

# rewrite ^ https://$server_name$request_uri permanent;
rewrite ^(.*) https://$host$1 permanent;

and then just an optimization

rewrite ^(.*)$ https://www.domain.com$1 permanent;

and all better now.

---

The answer provided above is correct. But it is a temporary solution and it works only for devise. However the problem arises when you manually send a confirmation token via email. You can fix this permanently.Go to environment/production. and change this line

config.action_mailer.default_url_options = { :host => 'domainname', :protocol => "http"}

to

config.action_mailer.default_url_options = { :host => 'domainname', :protocol => "https"}