Confirmable should generate a token if confirmation_token is currently an empty string

## Environment

- Ruby 2.5.5p157
- Rails 5.2.3
- Devise 4.6.1

## Current behavior

Currently, when using the confirmable module, devise only checks if the `confirmation_token` field not nil. If it's nil, it will generate a confirmation token for you; if it's not, it won't. However, it can be set to an empty string, which should not be allowed, as it presents a security issue, allowing someone passing an empty string as the confirmation token to sign in as the person with the blank string confirmation token. 

This is the offending code: https://github.com/plataformatec/devise/blob/e91b8ee0bac0503af119bf7333499d7729166a4d/lib/devise/models/confirmable.rb#L249

## Expected behavior

Devise should do something like `if self.confirmation_token.present?`, which checks for nil and blank.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Confirmable should generate a token if confirmation_token is currently an empty string #5071

Environment

Current behavior

Expected behavior

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Confirmable should generate a token if confirmation_token is currently an empty string #5071

Description

Environment

Current behavior

Expected behavior

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions