Module: Devise::Models::Authenticatable

Defined in:

lib/devise/models/authenticatable.rb

Overview

Authenticable Module, responsible for encrypting password and validating authenticity of a user while signing in.

Configuration:

You can overwrite configuration values by setting in globally in Devise, using devise method or overwriting the respective instance method.

pepper: encryption key used for creating encrypted password. Each time
        password changes, it's gonna be encrypted again, and this key
        is added to the password and salt to create a secure hash.
        Always use `rake secret' to generate a new key.

stretches: defines how many times the password will be encrypted.

encryptor: the encryptor going to be used. By default :sha1.

authentication_keys: parameters used for authentication. By default [:email]

Examples:

User.authenticate('email@test.com', 'password123')  # returns authenticated user or nil
User.find(1).valid_password?('password123')         # returns true/false

Defined Under Namespace

Modules: ClassMethods

Class Method Summary

• .included(base) ⇒ Object

Instance Method Summary

• #clean_up_passwords ⇒ Object

  Set password and password confirmation to nil.

• #old_password ⇒ Object

  TODO Remove me in next release.

• #password=(new_password) ⇒ Object

  Regenerates password salt and encrypted password each time password is set, and then trigger any “after_changed_password”-callbacks.

• #update_with_password(params = {}) ⇒ Object

  Update record attributes when :current_password matches, otherwise returns error on :current_password.

• #valid_authentication_token?(incoming_auth_token) ⇒ Boolean

  Verifies whether an incoming_authentication_token (i.e. from single access URL) is the user authentication token.

• #valid_for_authentication?(attributes) ⇒ Boolean

  Checks if a resource is valid upon authentication.

• #valid_password?(incoming_password) ⇒ Boolean

  Verifies whether an incoming_password (ie from sign in) is the user password.

Class Method Details

.included(base) ⇒ Object

# File 'lib/devise/models/authenticatable.rb', line 30

def self.included(base)
  base.class_eval do
    extend ClassMethods

    attr_reader :password, :current_password
    attr_accessor :password_confirmation
  end
end

Instance Method Details

#clean_up_passwords ⇒ Object

Set password and password confirmation to nil

# File 'lib/devise/models/authenticatable.rb', line 73

def clean_up_passwords
  self.password = self.password_confirmation = nil
end

#old_password ⇒ Object

TODO Remove me in next release

# File 'lib/devise/models/authenticatable.rb', line 40

def old_password
  ActiveSupport::Deprecation.warn "old_password is deprecated, please use current_password instead", caller
  @old_password
end

#password=(new_password) ⇒ Object

Regenerates password salt and encrypted password each time password is set, and then trigger any “after_changed_password”-callbacks.

# File 'lib/devise/models/authenticatable.rb', line 47

def password=(new_password)
  @password = new_password

  if @password.present?
    self.password_salt = self.class.encryptor_class.salt
    self.encrypted_password = password_digest(@password)
  end
end

#update_with_password(params = {}) ⇒ Object

Update record attributes when :current_password matches, otherwise returns error on :current_password. It also automatically rejects :password and :password_confirmation if they are blank.

# File 'lib/devise/models/authenticatable.rb', line 80

def update_with_password(params={})
  # TODO Remove me in next release
  if params[:old_password].present?
    params[:current_password] ||= params[:old_password]
    ActiveSupport::Deprecation.warn "old_password is deprecated, please use current_password instead", caller
  end

  params.delete(:password) if params[:password].blank?
  params.delete(:password_confirmation) if params[:password_confirmation].blank?
  current_password = params.delete(:current_password)

  result = if valid_password?(current_password)
    update_attributes(params)
  else
    message = current_password.blank? ? :blank : :invalid
    self.class.add_error_on(self, :current_password, message, false)
    self.attributes = params
    false
  end

  clean_up_passwords unless result
  result
end

#valid_authentication_token?(incoming_auth_token) ⇒ Boolean

Verifies whether an incoming_authentication_token (i.e. from single access URL) is the user authentication token.

Returns:

• (Boolean)

# File 'lib/devise/models/authenticatable.rb', line 63

def valid_authentication_token?(incoming_auth_token)
  incoming_auth_token == self.authentication_token
end

#valid_for_authentication?(attributes) ⇒ Boolean

Checks if a resource is valid upon authentication.

Returns:

• (Boolean)

# File 'lib/devise/models/authenticatable.rb', line 68

def valid_for_authentication?(attributes)
  valid_password?(attributes[:password])
end

#valid_password?(incoming_password) ⇒ Boolean

Verifies whether an incoming_password (ie from sign in) is the user password.

Returns:

• (Boolean)

# File 'lib/devise/models/authenticatable.rb', line 57

def valid_password?(incoming_password)
  password_digest(incoming_password) == self.encrypted_password
end