Devise Password generator

[byhbt]

Problem:

When use Devise with Devise security gem for ensuring the password is always strong enough.

If the user login via OAuth without password, we have to generate a random password for this user in order to bypass the NOT NULL of the encrypted_password in users table as default.

password = SecureRandom.urlsafe_base64

or

password = Devise.friendly_token[0,20]

Sometimes the result of urlsafe_base64 returns a string without number, then it causes password insecurity according to the security extension devise_security_extension

You can check by comparing the generated value of urlsafe_base64 to the pattern of strong password in the security gem config

[16] pry(main)> password_regex.match?(SecureRandom.urlsafe_base64)
=> true
[17] pry(main)> password_regex.match?(SecureRandom.urlsafe_base64)
=> true
[18] pry(main)> password_regex.match?(SecureRandom.urlsafe_base64)
=> true
[19] pry(main)> password_regex.match?(SecureRandom.urlsafe_base64)
=> false
[20] pry(main)> password_regex.match?(SecureRandom.urlsafe_base64)
=> true

The Devise has provided a method but still uses the same urlsafe_base64 method, therefore this case is still possible to happen.

  # Generate a friendly string randomly to be used as token.
  # By default, the length is 20 characters.
  def self.friendly_token(length = 20)
    # To calculate real characters, we must perform this operation.
    # See SecureRandom.urlsafe_base64
    rlength = (length * 3) / 4
    SecureRandom.urlsafe_base64(rlength).tr('lIO0', 'sxyz')
  end

Solution:

Override the default generator of Devise password.

Lesson:

1. Dig into the gem source to see how the data is generated.

2. By the urlsafe_base64 sometimes return a string without number?

Reference:

https://stackoverflow.com/questions/3681827/how-to-auto-generate-passwords-in-rails-devise