Devise allows blank password during password reset - ruby-on-rails

I have a Rails 3.2 app setup with Devise. Everything works great except for when I reset a password ( via the built in routes and methods ), Devise is allowing a blank password. It will validate the length and if it matches the confirmation if there is at least one character. I do have it setup where in a users account they can update their profile without entering the password, but I don't think that has anything to do with resetting the password.
Any help is appreciated.
devise.rb -> http://pastie.org/3911178
user.rb -> http://pastie.org/3911187

Thanks for pointing me in the right direction. The problem was caused by what you described. However, if I let devise handle the validation or use the same code they do, the user must provide a password when updating their account even after they are logged in. To fix this, I just checked for the rest_password_token in my validation:
def password_required?
# If resetting the password
return true if reset_password_token.present? && reset_password_period_valid?
# If the person already has a pass, only validate if they are updating pass
if !encrypted_password.blank?
password.present? || password_confirmation.present?
end
end
*UPDATE
I just updated this to ensure the password token is not expired.

You should let devise handler password validations: https://github.com/plataformatec/devise/blob/master/lib/devise/models/validatable.rb or use the code devise is using for validations.
The issue with your code is that you're doing validations only if the user doesn't has a password set (!encrypted_password.blank?) and other conditions. When recovering the password the user already has a password set so you don't run validations on password updates ...

Related

How to skip validation on regeneration of secure token

So I'm sending out password reset e-mails and I've hit a stump on how to solve this issue, so after the user has reset their password. I regenerate a new password reset token (I know this is bad, before I had it generate when I was sending out the password reset request, but that didn't work so I tried this.). Every time I regenerate the token it does not skip validations that I have set in the model.
As said before, I have tried switching it around, regenerating a new token before I send the e-mail and now after they have reset their password. I have also looked the documentation of has_secure_token and I don't see anywhere where I can skip validation when I regenerate a token.
This is my code for resetting the password in the User model.
def reset_password(password)
self.regenerate_reset_password_token
self.password = password
save(:validate => false)
end
I'm getting the error for validating my user's passwords, when regenerating the token, as said before not sure how to skip the validation when regenerating the token on line 2 of the code above.
Validation failed: Password can't be blank, Password is too short (minimum is 8 characters)
You can do
def generate_password_reset_token
self.reset_password_token = generate_token
self.reset_password_sent_at = Time.now
save!
end
def generate_token
SecureRandom.base58(5)
end

reset_password_sent_at assignment for devise

The issue is that devise is checking the reset_password_sent_at when a user clicks on the link to reset their password (from an email) and when trying to reset (in the form) an error occurs:
Reset password token has expired, please request a new one
Meaning, "when a reset_password_token is generated, #user.reset_password_sent_at needs to be set to Time.now, or else when devise runs #user.reset_password_period_valid? to find out if the reset token is still valid, it will get nil and assume the token has expired."
What I don't understand is how and where to assign reset_password_sent_at to Time.now
Do I need to assign Time.now through the console to all Users? If so, How would I do that?
Or, is it a before_create (or something else) that I need to assign Time.now to reset_password_sent_at? If so, how and where should I do this?
You don't need to worry about reset_password_sent_at; that is something devise will take care of setting correctly when a reset_password is sent to the user.
reset_password_sent_at works in conjunction with the reset_password_within parameter, set in the config/initializers/devise.rb file. It should look something like this:
config.reset_password_within = 2.hours
Most likely it is set to nil or 0, and that is making the application throw the password reset token has expired method.

Ruby on Rails - Devise welcome email to new users with reset password in Active Admin

Im using RoR 3.2.3 and Devise and Active Admin is working great.
However, there is something I am not getting.
In my app, users cannot register themselves, only an Admin can register other users.
This is all working, the Admin goes into the Active Admin panel->Users->New and fills the username and email and clicks "Create".
In order to give the customer the option of clreating his new password I'm using in mt AA user model:
after_create { |user| user.send_reset_password_instructions }
def password_required?
new_record? ? false : super
end
However, I don't want the email to send the text that devise uses, but rather a welcoming text and not something like "A link to change your password has been requested..." as there was no password to begin with.
In short, I want to use the send_reset_password_instructionsdevise method without using it's devise/mailer/reset_password_instructions view for when a new user is created.
However if the user forgets his password then he clicks the "Forgot Password" link and an email is to be sent with that default text already provided by Devise.
Any tips on how to make this work?
Thanks in advance,
Regards
Its very simple actually, set config.scoped_views = true in config/initializers/devise.rb
Then run
rails g devise:views users
this will generate all the views files devise uses, you can make changes to the
app/views/users/mailer/reset_password_instructions.html.erb file to what you need or any other file you wish to change.

How do I reset a user password from the console in Hobo/Rails

The rails framework Hobo is brilliant and automatically creates the first user as the admin user (unless you ask it not to). The problem I have is that running rails in development I can't remember what the password was. This should be trivial because I just run rails console, find the user admin = User.find :first and reset the password (trying)
admin.password = 'Anything1234'
admin.password_confirmation = admin.password
admin.save
>false
admin.errors
>{:current_password=>["is not correct"]}
I.e. the implication is that the variable current_password needs to be set correctly before I can change the existing password.
I'm afraid the Hobo documentation doesn't help in this case. Does anyone know the how to drive the Hobo user model to reset the password?
4 possible solutions:
1: run your app, and click on the forgot password link. The message will appear in your logs, so you don't need a mailer set up.
2: Just save without doing any validations:
admin.save(false)
EDIT: in Rails 3 this is
admin.save(:validate => false)
3: Another option is just to delete all users so you get your initial user entry screen back.
4: If you really want to run the validations, you can trigger the request_password_reset lifecycle:
admin.lifecycle.request_password_reset!(Guest.new)
then look in development log for the reset password key
u.lifecycle.reset_password!(Guest.new, :key => 'a0a2db1035065fa7ad5d46d35669d206aee73668', :password=>"test123", :password_confirmation=>"test123")
Yes, you need to set the current_password before you set the password and password_confirmation fields. This is to stop the user from changing the password without originally knowing the password.
Therefore, you would need to do something like this:
admin.current_password = 'password'
admin.password = 'Anything1234'
admin.password_confirmation = admin.password
admin.save

OmniAuth and Devise, how to set optional passwords

I am using OmniAuth and Devise to authenticate users. I would like users that have signed up using OmniAuth providers to be able to set an optional password (needed for API authentication) but I'm running into a wall.
If a user creates an account via OmniAuth and tries to set a password they get the following error:
BCrypt::Errors::InvalidHash in RegistrationsController#update
I believe this is because the password is blank. What's a good way around this? I've thought about generating a random password but the problem with that approach is the user needs to know the current password in order to edit settings.
Edit:
I looked at allowing the user to change settings without requiring a current password and that's what I would like to do only if the user didn't have a password initially.
An alternative is to add the following into your 'user' model class to bypass password verification if there is no password to verify, where provider is some field that is set when using external authentication.
def valid_password?(password)
!provider.nil? || super(password)
end
I assume you don't want the easy way out which would be to simply reset the password if they wanted to set it?
user.send_reset_password_instructions
This comes a bit late but it might help someone else, with Andrew's answer you can in create a password and store it in the database, but you can't login using your email and your new password, solved this by setting:
def valid_password
!provider.nil? && !encrypted_password.present? || super
end
Another alternative. You don't have to include a new field. Just catch the exception raised and return false. Here is the code.
def valid_password?(password)
begin
super(password)
rescue BCrypt::Errors::InvalidHash
return false
end
end
This should do the job.

Resources