From d1d4a54c2344233289fab90ab59cdc0c3497708a Mon Sep 17 00:00:00 2001 From: Muhammad Muhammad Ibrahim Date: Wed, 22 Sep 2021 12:32:24 +0200 Subject: [PATCH] Prevent error when authenticating user with a blank password digest Co-authored-by: Petrik de Heus --- activemodel/lib/active_model/secure_password.rb | 2 +- activemodel/test/cases/secure_password_test.rb | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/activemodel/lib/active_model/secure_password.rb b/activemodel/lib/active_model/secure_password.rb index 6af2809b24d42..4d548dec63e13 100644 --- a/activemodel/lib/active_model/secure_password.rb +++ b/activemodel/lib/active_model/secure_password.rb @@ -118,7 +118,7 @@ def initialize(attribute) # user.authenticate_password('mUc3m00RsqyRe') # => user define_method("authenticate_#{attribute}") do |unencrypted_password| attribute_digest = public_send("#{attribute}_digest") - BCrypt::Password.new(attribute_digest).is_password?(unencrypted_password) && self + attribute_digest.present? && BCrypt::Password.new(attribute_digest).is_password?(unencrypted_password) && self end alias_method :authenticate, :authenticate_password if attribute == :password diff --git a/activemodel/test/cases/secure_password_test.rb b/activemodel/test/cases/secure_password_test.rb index 0aca714bd2199..70daba3f38b07 100644 --- a/activemodel/test/cases/secure_password_test.rb +++ b/activemodel/test/cases/secure_password_test.rb @@ -212,6 +212,11 @@ class SecurePasswordTest < ActiveModel::TestCase assert_equal @user, @user.authenticate_recovery_password("42password") end + test "authenticate should return false and not raise when password digest is blank" do + @user.password_digest = " " + assert_equal false, @user.authenticate(" ") + end + test "Password digest cost defaults to bcrypt default cost when min_cost is false" do ActiveModel::SecurePassword.min_cost = false