Skip to content

Commit

Permalink
Don't hash invalid passwords twice
Browse files Browse the repository at this point in the history
  • Loading branch information
moritzhoeppner committed Nov 29, 2023
1 parent e2242a9 commit 991c5df
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 2 deletions.
2 changes: 1 addition & 1 deletion app/controllers/devise/sessions_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ def destroy
protected

def sign_in_params
devise_parameter_sanitizer.sanitize(:sign_in)
devise_parameter_sanitizer.sanitize(:sign_in).except('password')
end

def serialize_options(resource)
Expand Down
2 changes: 1 addition & 1 deletion lib/devise/parameter_sanitizer.rb
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ module Devise
# end
class ParameterSanitizer
DEFAULT_PERMITTED_ATTRIBUTES = {
sign_in: [:password, :remember_me],
sign_in: [:remember_me],
sign_up: [:password, :password_confirmation],
account_update: [:password, :password_confirmation, :current_password]
}
Expand Down
23 changes: 23 additions & 0 deletions test/integration/database_authenticatable_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,29 @@ class DatabaseAuthenticationTest < Devise::IntegrationTest
assert_not warden.authenticated?(:admin)
end

test 'sign in with invalid credentials should not invoke Devise::Encryptor.digest' do
module ::Devise::Encryptor
class << self
alias original_digest digest

def digest(klass, password)
raise 'Devise::Encryptor.digest should not be called here.'
end
end
end

visit_with_option nil, new_user_session_path
fill_in 'email', with: '[email protected]'
fill_in 'password', with: 'abcdef'
click_button 'Log In'

module ::Devise::Encryptor
class << self
alias digest original_digest
end
end
end

test 'when in paranoid mode and without a valid e-mail' do
swap Devise, paranoid: true do
store_translations :en, devise: { failure: { not_found_in_database: 'Not found in database' } } do
Expand Down

0 comments on commit 991c5df

Please sign in to comment.