Module: Devise::Models::DatabaseAuthenticatable

Extended by:
ActiveSupport::Concern
Defined in:
lib/devise/models/database_authenticatable.rb

Overview

Authenticatable Module, responsible for encrypting password and validating authenticity of a user while signing in.

Options

DatabaseAuthenticable adds the following options to devise_for:

* +pepper+: a random string used to provide a more secure hash. Use
  `rake secret` to generate new keys.

* +stretches+: the cost given to bcrypt.

Examples

User.find(1).valid_password?('password123')         # returns true/false

Defined Under Namespace

Modules: ClassMethods

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.required_fields(klass) ⇒ Object



30
31
32
# File 'lib/devise/models/database_authenticatable.rb', line 30

def self.required_fields(klass)
  [:encrypted_password] + klass.authentication_keys
end

Instance Method Details

#after_database_authenticationObject



113
114
# File 'lib/devise/models/database_authenticatable.rb', line 113

def after_database_authentication
end

#authenticatable_saltObject

A reliable way to expose the salt regardless of the implementation.



117
118
119
# File 'lib/devise/models/database_authenticatable.rb', line 117

def authenticatable_salt
  encrypted_password[0,29] if encrypted_password
end

#clean_up_passwordsObject

Set password and password confirmation to nil



49
50
51
# File 'lib/devise/models/database_authenticatable.rb', line 49

def clean_up_passwords
  self.password = self.password_confirmation = nil
end

#destroy_with_password(current_password) ⇒ Object

Destroy record when :current_password matches, otherwise returns error on :current_password. It also automatically rejects :current_password if it is blank.



101
102
103
104
105
106
107
108
109
110
111
# File 'lib/devise/models/database_authenticatable.rb', line 101

def destroy_with_password(current_password)
  result = if valid_password?(current_password)
    destroy
  else
    self.valid?
    self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
    false
  end

  result
end

#password=(new_password) ⇒ Object

Generates password encryption based on the given value.



35
36
37
38
# File 'lib/devise/models/database_authenticatable.rb', line 35

def password=(new_password)
  @password = new_password
  self.encrypted_password = password_digest(@password) if @password.present?
end

#update_with_password(params, *options) ⇒ Object

Update record attributes when :current_password matches, otherwise returns error on :current_password. It also automatically rejects :password and :password_confirmation if they are blank.



56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# File 'lib/devise/models/database_authenticatable.rb', line 56

def update_with_password(params, *options)
  current_password = params.delete(:current_password)

  if params[:password].blank?
    params.delete(:password)
    params.delete(:password_confirmation) if params[:password_confirmation].blank?
  end

  result = if valid_password?(current_password)
    update_attributes(params, *options)
  else
    self.assign_attributes(params, *options)
    self.valid?
    self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
    false
  end

  clean_up_passwords
  result
end

#update_without_password(params, *options) ⇒ Object

Updates record attributes without asking for the current password. Never allows a change to the current password. If you are using this method, you should probably override this method to protect other attributes you would not like to be updated without a password.

Example:

def update_without_password(params={})
  params.delete(:email)
  super(params)
end


89
90
91
92
93
94
95
96
# File 'lib/devise/models/database_authenticatable.rb', line 89

def update_without_password(params, *options)
  params.delete(:password)
  params.delete(:password_confirmation)

  result = update_attributes(params, *options)
  clean_up_passwords
  result
end

#valid_password?(password) ⇒ Boolean

Verifies whether an password (ie from sign in) is the user password.

Returns:

  • (Boolean)


41
42
43
44
45
46
# File 'lib/devise/models/database_authenticatable.rb', line 41

def valid_password?(password)
  return false if encrypted_password.blank?
  bcrypt   = ::BCrypt::Password.new(encrypted_password)
  password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)
  Devise.secure_compare(password, encrypted_password)
end