Module: Devise::Models::DatabaseAuthenticatable
- Extended by:
- ActiveSupport::Concern
- Defined in:
- lib/devise/models/database_authenticatable.rb
Overview
Authenticatable Module, responsible for hashing the password and validating the authenticity of a user while signing in.
This module defines a ‘password=` method. This method will hash the argument and store it in the `encrypted_password` column, bypassing any pre-existing `password` column if it exists.
Options
DatabaseAuthenticatable adds the following options to devise
:
* +pepper+: a random string used to provide a more secure hash. Use
`rails secret` to generate new keys.
* +stretches+: the cost given to bcrypt.
* +send_email_changed_notification+: notify original email when it changes.
* +send_password_change_notification+: notify email when password changes.
Examples
User.find(1).valid_password?('password123') # returns true/false
Defined Under Namespace
Modules: ClassMethods
Class Method Summary collapse
Instance Method Summary collapse
-
#after_database_authentication ⇒ Object
A callback initiated after successfully authenticating.
-
#authenticatable_salt ⇒ Object
A reliable way to expose the salt regardless of the implementation.
-
#clean_up_passwords ⇒ Object
Set password and password confirmation to nil.
-
#destroy_with_password(current_password) ⇒ Object
Destroy record when :current_password matches, otherwise returns error on :current_password.
- #initialize(*args, &block) ⇒ Object
-
#password=(new_password) ⇒ Object
Generates a hashed password based on the given value.
-
#password_digest(password) ⇒ Object
protected
Hashes the password using bcrypt.
-
#send_email_changed_notification ⇒ Object
Send notification to user when email changes.
- #send_email_changed_notification? ⇒ Boolean protected
-
#send_password_change_notification ⇒ Object
Send notification to user when password changes.
- #send_password_change_notification? ⇒ Boolean protected
-
#skip_email_changed_notification! ⇒ Object
Skips sending the email changed notification after_update.
-
#skip_password_change_notification! ⇒ Object
Skips sending the password change notification after_update.
-
#update_with_password(params) ⇒ Object
Update record attributes when :current_password matches, otherwise returns error on :current_password.
-
#update_without_password(params) ⇒ Object
Updates record attributes without asking for the current password.
-
#valid_password?(password) ⇒ Boolean
Verifies whether a password (ie from sign in) is the user password.
Class Method Details
.required_fields(klass) ⇒ Object
58 59 60 |
# File 'lib/devise/models/database_authenticatable.rb', line 58 def self.required_fields(klass) [:encrypted_password] + klass.authentication_keys end |
Instance Method Details
#after_database_authentication ⇒ Object
A callback initiated after successfully authenticating. This can be used to insert your own logic that is only run after the user successfully authenticates.
Example:
def after_database_authentication
self.update_attribute(:invite_code, nil)
end
154 155 |
# File 'lib/devise/models/database_authenticatable.rb', line 154 def after_database_authentication end |
#authenticatable_salt ⇒ Object
A reliable way to expose the salt regardless of the implementation.
158 159 160 |
# File 'lib/devise/models/database_authenticatable.rb', line 158 def authenticatable_salt encrypted_password[0,29] if encrypted_password end |
#clean_up_passwords ⇒ Object
Set password and password confirmation to nil
76 77 78 |
# File 'lib/devise/models/database_authenticatable.rb', line 76 def clean_up_passwords self.password = self.password_confirmation = nil end |
#destroy_with_password(current_password) ⇒ Object
Destroy record when :current_password matches, otherwise returns error on :current_password. It also automatically rejects :current_password if it is blank.
132 133 134 135 136 137 138 139 140 141 142 |
# File 'lib/devise/models/database_authenticatable.rb', line 132 def destroy_with_password(current_password) result = if valid_password?(current_password) destroy else valid? errors.add(:current_password, current_password.blank? ? :blank : :invalid) false end result end |
#initialize(*args, &block) ⇒ Object
42 43 44 45 46 |
# File 'lib/devise/models/database_authenticatable.rb', line 42 def initialize(*args, &block) @skip_email_changed_notification = false @skip_password_change_notification = false super end |
#password=(new_password) ⇒ Object
Generates a hashed password based on the given value. For legacy reasons, we use ‘encrypted_password` to store the hashed password.
65 66 67 68 |
# File 'lib/devise/models/database_authenticatable.rb', line 65 def password=(new_password) @password = new_password self.encrypted_password = password_digest(@password) if @password.present? end |
#password_digest(password) ⇒ Object (protected)
Hashes the password using bcrypt. Custom hash functions should override this method to apply their own algorithm.
See github.com/heartcombo/devise-encryptable for examples of other hashing engines.
179 180 181 |
# File 'lib/devise/models/database_authenticatable.rb', line 179 def password_digest(password) Devise::Encryptor.digest(self.class, password) end |
#send_email_changed_notification ⇒ Object
Send notification to user when email changes.
163 164 165 |
# File 'lib/devise/models/database_authenticatable.rb', line 163 def send_email_changed_notification send_devise_notification(:email_changed, to: devise_email_before_last_save) end |
#send_email_changed_notification? ⇒ Boolean (protected)
183 184 185 |
# File 'lib/devise/models/database_authenticatable.rb', line 183 def send_email_changed_notification? self.class.send_email_changed_notification && devise_saved_change_to_email? && !@skip_email_changed_notification end |
#send_password_change_notification ⇒ Object
Send notification to user when password changes.
168 169 170 |
# File 'lib/devise/models/database_authenticatable.rb', line 168 def send_password_change_notification send_devise_notification(:password_change) end |
#send_password_change_notification? ⇒ Boolean (protected)
187 188 189 |
# File 'lib/devise/models/database_authenticatable.rb', line 187 def send_password_change_notification? self.class.send_password_change_notification && devise_saved_change_to_encrypted_password? && !@skip_password_change_notification end |
#skip_email_changed_notification! ⇒ Object
Skips sending the email changed notification after_update
49 50 51 |
# File 'lib/devise/models/database_authenticatable.rb', line 49 def skip_email_changed_notification! @skip_email_changed_notification = true end |
#skip_password_change_notification! ⇒ Object
Skips sending the password change notification after_update
54 55 56 |
# File 'lib/devise/models/database_authenticatable.rb', line 54 def skip_password_change_notification! @skip_password_change_notification = true end |
#update_with_password(params) ⇒ Object
Update record attributes when :current_password matches, otherwise returns error on :current_password.
This method also rejects the password field if it is blank (allowing users to change relevant information like the e-mail without changing their password). In case the password field is rejected, the confirmation is also rejected as long as it is also blank.
87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 |
# File 'lib/devise/models/database_authenticatable.rb', line 87 def update_with_password(params) current_password = params.delete(:current_password) if params[:password].blank? params.delete(:password) params.delete(:password_confirmation) if params[:password_confirmation].blank? end result = if valid_password?(current_password) update(params) else assign_attributes(params) valid? errors.add(:current_password, current_password.blank? ? :blank : :invalid) false end clean_up_passwords result end |
#update_without_password(params) ⇒ Object
Updates record attributes without asking for the current password. Never allows a change to the current password. If you are using this method, you should probably override this method to protect other attributes you would not like to be updated without a password.
Example:
def update_without_password(params)
params.delete(:email)
super(params)
end
120 121 122 123 124 125 126 127 |
# File 'lib/devise/models/database_authenticatable.rb', line 120 def update_without_password(params) params.delete(:password) params.delete(:password_confirmation) result = update(params) clean_up_passwords result end |