I have a password policy need to apply at my ROR application.
Prohibit passwords from being the same as the account ID or user ID.
For example: System will prompt error if I use the wording contain of 'alex' if my username is
alex#google.com
Use custom validation, in your User model
validate :password_content
def password_content
self.errors.add(:password, "cannot contain username") if password.include?(user_name[/[^#]+/])
end
It will throw a validation error if password contains user_name. Hope this helps!
You can make use of include?
if password.inlcude? user_name[/[^#]+/]
do something
end
Related
I need to add a second password field to devise. The original password will be used to login as usual. The second password will be used to "sign" documents.
Any ideas on how to implement this?
I would just generate a migration specifying the data type as string.
1)rails g migration AddPasswordToUser sign_password
2)rake db:migrate
3) update the user_params
I would also use the gem bcrypt to get encrypt the password
https://github.com/codahale/bcrypt-ruby
What do you mean by "signing documents" ?
Do you have a Document model ?
And a relation between User and Document ?
If yes, you should add the password on the Document model.
I am using OmniAuth and Devise to authenticate users. I would like users that have signed up using OmniAuth providers to be able to set an optional password (needed for API authentication) but I'm running into a wall.
If a user creates an account via OmniAuth and tries to set a password they get the following error:
BCrypt::Errors::InvalidHash in RegistrationsController#update
I believe this is because the password is blank. What's a good way around this? I've thought about generating a random password but the problem with that approach is the user needs to know the current password in order to edit settings.
Edit:
I looked at allowing the user to change settings without requiring a current password and that's what I would like to do only if the user didn't have a password initially.
An alternative is to add the following into your 'user' model class to bypass password verification if there is no password to verify, where provider is some field that is set when using external authentication.
def valid_password?(password)
!provider.nil? || super(password)
end
I assume you don't want the easy way out which would be to simply reset the password if they wanted to set it?
user.send_reset_password_instructions
This comes a bit late but it might help someone else, with Andrew's answer you can in create a password and store it in the database, but you can't login using your email and your new password, solved this by setting:
def valid_password
!provider.nil? && !encrypted_password.present? || super
end
Another alternative. You don't have to include a new field. Just catch the exception raised and return false. Here is the code.
def valid_password?(password)
begin
super(password)
rescue BCrypt::Errors::InvalidHash
return false
end
end
This should do the job.
I am building a RoR 3 app, a community. It has a User model and some fields.
So when a user is updating a certain field, like his/her birthday, I want to validate that the User typed in the password that is the same in the database. This way I know that it is the right user trying to change the birthday.
So I ask you how i can create such a validator.
Also I would like to be able to specify an array of which fields the user has to validate the password to change.
This is actually pretty easy to do once you are familiar with the Rails framework.
models/User.rb
class User < ActiveRecord::Base
validate :correct_password?, :if => :check_password?
def check_password?
[birthday_changed?, other_field_changed?].any?
end
def correct_password?
# without knowing more about how you store the password
# this probably won't work with your code directly
errors.add_to_base("Must provide password") unless password?
errors.add_to_base("Incorrect password") unless password == User.find_by_id(id).password
end
end
Even though building user authentication and authorization is not hard - I would advise to use something like "AuthLogic" or "Devise" gems/plugins which will most likely cover 90% of the functionality that you need. You alsways can customize/add new functionality if needed.
Such plugins will do most of the grunt work for you: generate MVC, create database, do proper security checks, even email password recovery and such.
I've got a typical Authlogic setup that I need to enhance to require Customer ID in addition to Login and Password.
I've read a bit about using a custom find method and another about using a global variable for accessing the additional parameter and a third referring to documentation about using scopes that doesn't seem to exist.
Seems like this should be easy, but I can't seem to find the right approach.
Anyone got a solution?
In your UserSession class, add:
find_by_login_method :find_by_customer_id_or_login
In your User class, create this customer finder:
def self.find_by_customer_id_or_login(login)
User.find_by_customer_id(login) || User.find_by_login(login)
end
This is assuming a User has both a customer_id field and a login field.
Add a customer_id column through a migration and validate_presence_of :customer_id on your model. It doesn't have anything to do with authlogic. Unless there is more that you are trying to do.
I am using the authlogic gem for user validation on one of my sites. All is going well, but I am wondering if it's possible to change the error message that gets returned when the user types in an invalid email address.
Thanks!
authlogic has a special setting for this purpose:
class UserSession < Authlogic::Session::Base
generalize_credentials_error_messages true
end
The error message will be the same: "Email/Password combination is not valid", whether the password or email is bad. You can change the text of the message specifying a string instead of true:
generalize_credentials_error_messages "Try again"
You can override the settings for email validation with validates_format_of_email_field_options. However, if you only want to change the message you can merge options with merge_validates_format_of_email_field_options so that only the options you specify are overridden. You specify settings in your User controller like so:
class User < ActiveRecord::Base
acts_as_authentic do |c|
c.merge_validates_format_of_email_field_options :message => 'My message'
end
end
You can also change the settings for length and uniqueness validations. There are also a lot more other settings, take a look at the documentation, in the ::Config sections of each module you can find settings and their default values and how to override them.
Alternatively you can use localization and set error_messages.email_invalid (that's what the plugin looks for before setting it to the default English sentence, also useful if you are building an international application).
Override Authlogic error messages by changing in en.yml file
It works for me.
en:
authlogic:
error_messages:
login_blank: "Please enter the email address."
login_not_found: "This email address is already in the system. Please choose a different email address."
login_invalid: "Please enter a valid email address."