Module: Devise::Models::SecureValidatable

Includes:
Compatibility
Defined in:
lib/devise-security/models/secure_validatable.rb

Overview

SecureValidatable creates better validations with more validation for security

Options

SecureValidatable adds the following options to devise_for:

* +email_regexp+: the regular expression used to validate e-mails;
* +password_length+: a range expressing password length. Defaults from devise
* +password_regex+: need strong password. Defaults to /(?=.*\d)(?=.*[a-z])(?=.*[A-Z])/

Defined Under Namespace

Modules: ClassMethods

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Compatibility

#encrypted_password_before_last_save, #saved_change_to_encrypted_password?, #will_save_change_to_encrypted_password?

Class Method Details

.assert_secure_validations_api!(base) ⇒ Object 



56
57
58
 
# File 'lib/devise-security/models/secure_validatable.rb', line 56

def self.assert_secure_validations_api!(base)
  raise "Could not use SecureValidatable on #{base}" unless base.respond_to?(:validates)
end

.included(base) ⇒ Object 



18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
 
# File 'lib/devise-security/models/secure_validatable.rb', line 18

def self.included(base)
  base.extend ClassMethods
  assert_secure_validations_api!(base)

  base.class_eval do
    already_validated_email = false

    # validate login in a strict way if not yet validated
    unless has_uniqueness_validation_of_login?
      validation_condition = "#{}_changed?".to_sym

      validates , uniqueness: {
                                    scope:          authentication_keys[1..-1],
                                    case_sensitive: !!case_insensitive_keys
                                  },
                                  if: validation_condition

      already_validated_email = .to_s == 'email'
    end

    unless devise_validation_enabled?
      validates :email, presence: true, if: :email_required?
      unless already_validated_email
        validates :email, uniqueness: true, allow_blank: true, if: :email_changed? # check uniq for email ever
      end

      validates :password, presence: true, length: password_length, confirmation: true, if: :password_required?
    end

    # extra validations
    validates :email, email: email_validation if email_validation # use rails_email_validator or similar
    validates :password, format: { with: password_regex, message: :password_format }, if: :password_required?

    # don't allow use same password
    validate :current_equal_password_validation
  end
end

Instance Method Details

#current_equal_password_validationObject 



60
61
62
63
64
65
66
 
# File 'lib/devise-security/models/secure_validatable.rb', line 60

def current_equal_password_validation
  return if new_record? || !will_save_change_to_encrypted_password? || password.blank?
  dummy = self.class.new(encrypted_password: encrypted_password_was).tap do |user|
    user.password_salt = password_salt_was if respond_to?(:password_salt)
  end
  self.errors.add(:password, :equal_to_current_password) if dummy.valid_password?(password)
end