Update DatabaseAuthenticatable#valid_password? to not raise error on empty password

Signed-off-by: José Valim <jose.valim@gmail.com>
2022-11-09 12:18:31 -05:00 · 2011-04-16 16:13:17 +10:00 · 2011-04-16 16:13:17 +10:00 · e329930a82
commit e329930a82
parent 3940846d79
2 changed files with 21 additions and 5 deletions
--- a/lib/devise/models/database_authenticatable.rb
+++ b/lib/devise/models/database_authenticatable.rb
@ -33,9 +33,13 @@ module Devise

      # Verifies whether an password (ie from sign in) is the user password.
      def valid_password?(password)
-        bcrypt   = ::BCrypt::Password.new(self.encrypted_password)
-        password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)
-        Devise.secure_compare(password, self.encrypted_password)
+        begin
+          bcrypt   = ::BCrypt::Password.new(self.encrypted_password)
+          password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)
+          Devise.secure_compare(password, self.encrypted_password)
+        rescue BCrypt::Errors::InvalidHash
+          return false
+        end
      end

      # Set password and password confirmation to nil
--- a/test/models/database_authenticatable_test.rb
+++ b/test/models/database_authenticatable_test.rb
@ -48,6 +48,18 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
    assert_not user.valid_password?('654321')
  end

+  test 'should not raise error with an empty password' do
+    user = create_user
+    user.encrypted_password = ''
+    assert_nothing_raised { user.valid_password?('123456') }
+  end
+
+  test 'should be an invalid password if the user has an empty password' do
+    user = create_user
+    user.encrypted_password = ''
+    assert_not user.valid_password?('654321')
+  end
+
  test 'should respond to current password' do
    assert new_user.respond_to?(:current_password)
  end