-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom attribute name in has_secure_password #1440
Conversation
Assigned to @dhh for review. I think this ticket looks good to me, just curious if you want to add anything to it or not. |
I think if we allow a customized password field, we need to allow to have more than one secured_password field. |
# Returns self if the password is correct, otherwise false. | ||
def authenticate(unencrypted_password) | ||
if BCrypt::Password.new(password_digest) == unencrypted_password | ||
if BCrypt::Password.new(send(:"#{custom_password_attribute}")) == unencrypted_password |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could be simply send(custom_password_attribute), no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct. I did change it but forgot to push it. Will do now.
More than one secure field does make sense. Should I do it in this pull request or may be do it as a separate pull request? Please give your opinion. |
I don't think we need to support more than one field. As maintainer of Devise, nobody has ever asked for a feature like that. |
I think the ability to encrypt any field and not just password field would be interesting. Something like: has_secure_field :some_random_attribute However, it would need more work as at the moment the whole idea of secure field is tightly bound to password but IMHO the code should be able to adapt to any field irrespective. Therefore, I would create a diff pull request for it if it's deemed useful. Opinion? |
Any more feedback on this pull request? |
There is a rampant discussion on this topic in issue #1159. My personal opinion is that this is so easy to implement, any non-standard interaction (field name, encryption method, etc.) should just have its own implementation. If absolutely needed, any options to |
I am closing this after some discussion with other cores. If you want more customization, there are plenty auth tools out there. |
Added code to allow users to pass a custom attribute name to has_secure_password.
Example: