Module: Devise::Models::DatabaseAuthenticatable
- Extended by:
- ActiveSupport::Concern
- Defined in:
- lib/devise/models/database_authenticatable.rb
Overview
Authenticatable Module, responsible for hashing the password and validating the authenticity of a user while signing in.
Options
DatabaseAuthenticatable adds the following options to devise_for:
* +pepper+: a random string used to provide a more secure hash. Use
`rake secret` to generate new keys.
* +stretches+: the cost given to bcrypt.
* +send_email_changed_notification+: notify original email when it changes.
* +send_password_change_notification+: notify email when password changes.
Examples
User.find(1).valid_password?('password123') # returns true/false
Defined Under Namespace
Modules: ClassMethods
Class Method Summary collapse
Instance Method Summary collapse
-
#after_database_authentication ⇒ Object
A callback initiated after successfully authenticating.
-
#authenticatable_salt ⇒ Object
A reliable way to expose the salt regardless of the implementation.
-
#clean_up_passwords ⇒ Object
Set password and password confirmation to nil.
-
#destroy_with_password(current_password) ⇒ Object
Destroy record when :current_password matches, otherwise returns error on :current_password.
-
#password=(new_password) ⇒ Object
Generates a hashed password based on the given value.
-
#password_digest(password) ⇒ Object
protected
Hashes the password using bcrypt.
-
#send_email_changed_notification ⇒ Object
Send notification to user when email changes.
- #send_email_changed_notification? ⇒ Boolean protected
-
#send_password_change_notification ⇒ Object
Send notification to user when password changes.
- #send_password_change_notification? ⇒ Boolean protected
-
#update_with_password(params, *options) ⇒ Object
Update record attributes when :current_password matches, otherwise returns error on :current_password.
-
#update_without_password(params, *options) ⇒ Object
Updates record attributes without asking for the current password.
-
#valid_password?(password) ⇒ Boolean
Verifies whether a password (ie from sign in) is the user password.
Class Method Details
.required_fields(klass) ⇒ Object
36 37 38 |
# File 'lib/devise/models/database_authenticatable.rb', line 36 def self.required_fields(klass) [:encrypted_password] + klass.authentication_keys end |
Instance Method Details
#after_database_authentication ⇒ Object
A callback initiated after successfully authenticating. This can be used to insert your own logic that is only run after the user successfully authenticates.
Example:
def after_database_authentication
self.update_attribute(:invite_code, nil)
end
132 133 |
# File 'lib/devise/models/database_authenticatable.rb', line 132 def after_database_authentication end |
#authenticatable_salt ⇒ Object
A reliable way to expose the salt regardless of the implementation.
136 137 138 |
# File 'lib/devise/models/database_authenticatable.rb', line 136 def authenticatable_salt encrypted_password[0,29] if encrypted_password end |
#clean_up_passwords ⇒ Object
Set password and password confirmation to nil
54 55 56 |
# File 'lib/devise/models/database_authenticatable.rb', line 54 def clean_up_passwords self.password = self.password_confirmation = nil end |
#destroy_with_password(current_password) ⇒ Object
Destroy record when :current_password matches, otherwise returns error on :current_password. It also automatically rejects :current_password if it is blank.
110 111 112 113 114 115 116 117 118 119 120 |
# File 'lib/devise/models/database_authenticatable.rb', line 110 def destroy_with_password(current_password) result = if valid_password?(current_password) destroy else self.valid? self.errors.add(:current_password, current_password.blank? ? :blank : :invalid) false end result end |
#password=(new_password) ⇒ Object
Generates a hashed password based on the given value. For legacy reasons, we use ‘encrypted_password` to store the hashed password.
43 44 45 46 |
# File 'lib/devise/models/database_authenticatable.rb', line 43 def password=(new_password) @password = new_password self.encrypted_password = password_digest(@password) if @password.present? end |
#password_digest(password) ⇒ Object (protected)
Hashes the password using bcrypt. Custom hash functions should override this method to apply their own algorithm.
See github.com/plataformatec/devise-encryptable for examples of other hashing engines.
157 158 159 |
# File 'lib/devise/models/database_authenticatable.rb', line 157 def password_digest(password) Devise::Encryptor.digest(self.class, password) end |
#send_email_changed_notification ⇒ Object
Send notification to user when email changes.
141 142 143 |
# File 'lib/devise/models/database_authenticatable.rb', line 141 def send_email_changed_notification send_devise_notification(:email_changed, to: email_was) end |
#send_email_changed_notification? ⇒ Boolean (protected)
161 162 163 |
# File 'lib/devise/models/database_authenticatable.rb', line 161 def send_email_changed_notification? self.class.send_email_changed_notification && email_changed? end |
#send_password_change_notification ⇒ Object
Send notification to user when password changes.
146 147 148 |
# File 'lib/devise/models/database_authenticatable.rb', line 146 def send_password_change_notification send_devise_notification(:password_change) end |
#send_password_change_notification? ⇒ Boolean (protected)
165 166 167 |
# File 'lib/devise/models/database_authenticatable.rb', line 165 def send_password_change_notification? self.class.send_password_change_notification && encrypted_password_changed? end |
#update_with_password(params, *options) ⇒ Object
Update record attributes when :current_password matches, otherwise returns error on :current_password.
This method also rejects the password field if it is blank (allowing users to change relevant information like the e-mail without changing their password). In case the password field is rejected, the confirmation is also rejected as long as it is also blank.
65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 |
# File 'lib/devise/models/database_authenticatable.rb', line 65 def update_with_password(params, *) current_password = params.delete(:current_password) if params[:password].blank? params.delete(:password) params.delete(:password_confirmation) if params[:password_confirmation].blank? end result = if valid_password?(current_password) update_attributes(params, *) else self.assign_attributes(params, *) self.valid? self.errors.add(:current_password, current_password.blank? ? :blank : :invalid) false end clean_up_passwords result end |
#update_without_password(params, *options) ⇒ Object
Updates record attributes without asking for the current password. Never allows a change to the current password. If you are using this method, you should probably override this method to protect other attributes you would not like to be updated without a password.
Example:
def update_without_password(params, *)
params.delete(:email)
super(params)
end
98 99 100 101 102 103 104 105 |
# File 'lib/devise/models/database_authenticatable.rb', line 98 def update_without_password(params, *) params.delete(:password) params.delete(:password_confirmation) result = update_attributes(params, *) clean_up_passwords result end |