Merge pull request heartcombo#4461 from jjuliano/patch-1

Confirmation link validity is wrong in different time zone

Author: carlosantoniodasilva

CHANGELOG.md

@@ -7,6 +7,7 @@
   * Attempt to reset password without the password field in the request now results in a `:blank` validation error.
     Before this change, Devise would accept the reset password request and log the user in, without validating/changing
     the password. (by @victor-am)
+  * Confirmation links now expire based on UTC time, working properly when using different timezones. (by @jjuliano)
 * enhancements
   * Notify the original email when it is changed with a new `Devise.send_email_changed_notification` setting.
     When using `reconfirmable`, the notification will be sent right away instead of when the unconfirmed email is confirmed.

lib/devise/models/confirmable.rb

@@ -225,7 +225,7 @@ def confirmation_period_valid?
         #   confirmation_period_expired?  # will always return false
         #
         def confirmation_period_expired?
-          self.class.confirm_within && self.confirmation_sent_at && (Time.now > self.confirmation_sent_at + self.class.confirm_within)
+          self.class.confirm_within && self.confirmation_sent_at && (Time.now.utc > self.confirmation_sent_at + self.class.confirm_within)
         end
 
         # Checks whether the record requires any confirmation.