9

I'm creating a basic Ruby on Rails 4 project that allows user to create accounts, login, etc... I'm using the built in has_secure_password to manage the password. I don't want users to have to enter their password twice (i.e. require a password_confirmation input form field and corresponding model attribute). So, I'm looking for a way to turn the password_confirmation check/requirement off.

I found this answer that provides a potential solution, but the original question is different enough that I want to verify it separately. It recommends updating the user model to add the following:

class User < ActiveRecord::Base

  # ...

  has_secure_password validations: false
  validates :password, presence: true, length: { minimum: 6 }

end

This seems to work and allows my RSpec tests to pass. My two part question is:

  1. Are there any negative consequences or security problems with this approach?
  2. Are there alternate ways to turn off password_confirmation that are safer or more inline with "The Ruby Way"?
Improve this question

3 Answers 3

Reset to default
13

ActiveModel::SecurePassword has an options parameter to which you can specify not to perform validations.

has_secure_password validations: false

Then just make sure you perform a validation on your password field manually.

validates_presence_of :password, on: :create

Optionally the only other thing missing is to raise an error if the password_digest is somehow blank. I don't know how that could happen.

before_create { raise "Password digest missing on new record" if password_digest.blank? }

This seems to me resolves the issue as cleanly as possible.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

If you'll take a look at ActiveModel::SecurePassword, you'll see the validations created by has_secure_password.

if options.fetch(:validations, true)
      validates_confirmation_of :password, if: :should_confirm_password?
      validates_presence_of     :password, on: :create
      validates_presence_of     :password_confirmation, if: :should_confirm_password?

      before_create { raise "Password digest missing on new record" if password_digest.blank? }
end

by disabling validations, you're also preventing the check for the field :password_digest, which isn't a huge deal but still not ideal.

I think the better option is to override the default method, should_confirm_password?

# If password_confirmation is passed, business as usual.
# If not, don't run the validations
def should_confirm_password?
    password_confirmation.present? || false
end
Improve this answer

1 Comment

I don't think this is accurate in Rails 6 anymore. The approved answer is the better one.
0

For Rails 6, AFAICT (didn't check other versions), you simply don't pass a password_confirmation attribute to your model. It is not required by default.

See https://github.com/rails/rails/blob/master/activemodel/lib/active_model/validations/confirmation.rb#L75

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.