Module: Devise::Models::DatabaseAuthenticatable

Extended by:
ActiveSupport::Concern
Defined in:
lib/devise/models/database_authenticatable.rb

Overview

Authenticatable Module, responsible for encrypting password and validating authenticity of a user while signing in.

Options

DatabaseAuthenticatable adds the following options to devise_for:

* +pepper+: a random string used to provide a more secure hash. Use
  `rake secret` to generate new keys.

* +stretches+: the cost given to bcrypt.

Examples

User.find(1).valid_password?('password123')         # returns true/false

Defined Under Namespace

Modules: ClassMethods

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.required_fields(klass) ⇒ Object 



36
37
38
 
# File 'lib/devise/models/database_authenticatable.rb', line 36

def self.required_fields(klass)
  [:encrypted_password] + klass.authentication_keys
end

Instance Method Details

#after_database_authenticationObject

A callback initiated after successfully authenticating. This can be used to insert your own logic that is only run after the user successfully authenticates.

Example:

def after_database_authentication
  self.update_attribute(:invite_code, nil)
end



130
131
 
# File 'lib/devise/models/database_authenticatable.rb', line 130

def after_database_authentication
end

#authenticatable_saltObject

A reliable way to expose the salt regardless of the implementation.



134
135
136
 
# File 'lib/devise/models/database_authenticatable.rb', line 134

def authenticatable_salt
  encrypted_password[0,29] if encrypted_password
end

#clean_up_passwordsObject

Set password and password confirmation to nil



52
53
54
 
# File 'lib/devise/models/database_authenticatable.rb', line 52

def clean_up_passwords
  self.password = self.password_confirmation = nil
end

#destroy_with_password(current_password) ⇒ Object

Destroy record when :current_password matches, otherwise returns error on :current_password. It also automatically rejects :current_password if it is blank.



108
109
110
111
112
113
114
115
116
117
118
 
# File 'lib/devise/models/database_authenticatable.rb', line 108

def destroy_with_password(current_password)
  result = if valid_password?(current_password)
    destroy
  else
    self.valid?
    self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
    false
  end

  result
end

#password=(new_password) ⇒ Object

Generates password encryption based on the given value.



41
42
43
44
 
# File 'lib/devise/models/database_authenticatable.rb', line 41

def password=(new_password)
  @password = new_password
  self.encrypted_password = password_digest(@password) if @password.present?
end

#password_digest(password) ⇒ Object (protected)

Digests the password using bcrypt. Custom encryption should override this method to apply their own algorithm.

See github.com/plataformatec/devise-encryptable for examples of other encryption engines.



149
150
151
 
# File 'lib/devise/models/database_authenticatable.rb', line 149

def password_digest(password)
  Devise::Encryptor.digest(self.class, password)
end

#send_password_change_notificationObject 



138
139
140
 
# File 'lib/devise/models/database_authenticatable.rb', line 138

def send_password_change_notification
  send_devise_notification(:password_change)
end

#send_password_change_notification?Boolean (protected)

Returns:

  • (Boolean) 


153
154
155
 
# File 'lib/devise/models/database_authenticatable.rb', line 153

def send_password_change_notification?
  self.class.send_password_change_notification && encrypted_password_changed?
end

#update_with_password(params, *options) ⇒ Object

Update record attributes when :current_password matches, otherwise returns error on :current_password.

This method also rejects the password field if it is blank (allowing users to change relevant information like the e-mail without changing their password). In case the password field is rejected, the confirmation is also rejected as long as it is also blank.



63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
 
# File 'lib/devise/models/database_authenticatable.rb', line 63

def update_with_password(params, *options)
  current_password = params.delete(:current_password)

  if params[:password].blank?
    params.delete(:password)
    params.delete(:password_confirmation) if params[:password_confirmation].blank?
  end

  result = if valid_password?(current_password)
    update_attributes(params, *options)
  else
    self.assign_attributes(params, *options)
    self.valid?
    self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
    false
  end

  clean_up_passwords
  result
end

#update_without_password(params, *options) ⇒ Object

Updates record attributes without asking for the current password. Never allows a change to the current password. If you are using this method, you should probably override this method to protect other attributes you would not like to be updated without a password.

Example:

def update_without_password(params, *options)
  params.delete(:email)
  super(params)
end



96
97
98
99
100
101
102
103
 
# File 'lib/devise/models/database_authenticatable.rb', line 96

def update_without_password(params, *options)
  params.delete(:password)
  params.delete(:password_confirmation)

  result = update_attributes(params, *options)
  clean_up_passwords
  result
end

#valid_password?(password) ⇒ Boolean

Verifies whether a password (ie from sign in) is the user password.

Returns:

  • (Boolean) 


47
48
49
 
# File 'lib/devise/models/database_authenticatable.rb', line 47

def valid_password?(password)
  Devise::Encryptor.compare(self.class, encrypted_password, password)
end