module Devise::Models::DatabaseAuthenticatable

Authenticatable Module, responsible for hashing the password and validating the authenticity of a user while signing in.

This module defines a ‘password=` method. This method will hash the argument and store it in the `encrypted_password` column, bypassing any pre-existing `password` column if it exists.

Options

DatabaseAuthenticatable adds the following options to devise:

* +pepper+: a random string used to provide a more secure hash. Use
  `rails secret` to generate new keys.

* +stretches+: the cost given to bcrypt.

* +send_email_changed_notification+: notify original email when it changes.

* +send_password_change_notification+: notify email when password changes.

Examples

User.find(1).valid_password?('password123')         # returns true/false

Attributes

current_password[R]
password[R]
password_confirmation[RW]

Public Class Methods

new(*args, &block) click to toggle source
Calls superclass method
# File lib/devise/models/database_authenticatable.rb, line 42
def initialize(*args, &block)
  @skip_email_changed_notification = false
  @skip_password_change_notification = false
  super
end
required_fields(klass) click to toggle source
# File lib/devise/models/database_authenticatable.rb, line 58
def self.required_fields(klass)
  [:encrypted_password] + klass.authentication_keys
end

Public Instance Methods

after_database_authentication() click to toggle source

A callback initiated after successfully authenticating. This can be used to insert your own logic that is only run after the user successfully authenticates.

Example:

def after_database_authentication
  self.update_attribute(:invite_code, nil)
end
# File lib/devise/models/database_authenticatable.rb, line 172
def after_database_authentication
end
authenticatable_salt() click to toggle source

A reliable way to expose the salt regardless of the implementation.

# File lib/devise/models/database_authenticatable.rb, line 176
def authenticatable_salt
  encrypted_password[0,29] if encrypted_password
end
clean_up_passwords() click to toggle source

Set password and password confirmation to nil

# File lib/devise/models/database_authenticatable.rb, line 76
def clean_up_passwords
  self.password = self.password_confirmation = nil
end
destroy_with_password(current_password) click to toggle source

Destroy record when :current_password matches, otherwise returns error on :current_password. It also automatically rejects :current_password if it is blank.

# File lib/devise/models/database_authenticatable.rb, line 150
def destroy_with_password(current_password)
  result = if valid_password?(current_password)
    destroy
  else
    valid?
    errors.add(:current_password, current_password.blank? ? :blank : :invalid)
    false
  end

  result
end
password=(new_password) click to toggle source

Generates a hashed password based on the given value. For legacy reasons, we use ‘encrypted_password` to store the hashed password.

# File lib/devise/models/database_authenticatable.rb, line 65
def password=(new_password)
  @password = new_password
  self.encrypted_password = password_digest(@password) if @password.present?
end
send_email_changed_notification() click to toggle source

Send notification to user when email changes.

# File lib/devise/models/database_authenticatable.rb, line 181
def send_email_changed_notification
  send_devise_notification(:email_changed, to: devise_email_before_last_save)
end
send_password_change_notification() click to toggle source

Send notification to user when password changes.

# File lib/devise/models/database_authenticatable.rb, line 186
def send_password_change_notification
  send_devise_notification(:password_change)
end
skip_email_changed_notification!() click to toggle source

Skips sending the email changed notification after_update

# File lib/devise/models/database_authenticatable.rb, line 49
def skip_email_changed_notification!
  @skip_email_changed_notification = true
end
skip_password_change_notification!() click to toggle source

Skips sending the password change notification after_update

# File lib/devise/models/database_authenticatable.rb, line 54
def skip_password_change_notification!
  @skip_password_change_notification = true
end
update_with_password(params, *options) click to toggle source

Update record attributes when :current_password matches, otherwise returns error on :current_password.

This method also rejects the password field if it is blank (allowing users to change relevant information like the e-mail without changing their password). In case the password field is rejected, the confirmation is also rejected as long as it is also blank.

# File lib/devise/models/database_authenticatable.rb, line 87
      def update_with_password(params, *options)
        if options.present?
          Devise.deprecator.warn <<-DEPRECATION.strip_heredoc
            [Devise] The second argument of `DatabaseAuthenticatable#update_with_password`
            (`options`) is deprecated and it will be removed in the next major version.
            It was added to support a feature deprecated in Rails 4, so you can safely remove it
            from your code.
          DEPRECATION
        end

        current_password = params.delete(:current_password)

        if params[:password].blank?
          params.delete(:password)
          params.delete(:password_confirmation) if params[:password_confirmation].blank?
        end

        result = if valid_password?(current_password)
          update(params, *options)
        else
          assign_attributes(params, *options)
          valid?
          errors.add(:current_password, current_password.blank? ? :blank : :invalid)
          false
        end

        clean_up_passwords
        result
      end
update_without_password(params, *options) click to toggle source

Updates record attributes without asking for the current password. Never allows a change to the current password. If you are using this method, you should probably override this method to protect other attributes you would not like to be updated without a password.

Example:

def update_without_password(params, *options)
  params.delete(:email)
  super(params)
end
# File lib/devise/models/database_authenticatable.rb, line 129
      def update_without_password(params, *options)
        if options.present?
          Devise.deprecator.warn <<-DEPRECATION.strip_heredoc
            [Devise] The second argument of `DatabaseAuthenticatable#update_without_password`
            (`options`) is deprecated and it will be removed in the next major version.
            It was added to support a feature deprecated in Rails 4, so you can safely remove it
            from your code.
          DEPRECATION
        end

        params.delete(:password)
        params.delete(:password_confirmation)

        result = update(params, *options)
        clean_up_passwords
        result
      end
valid_password?(password) click to toggle source

Verifies whether a password (ie from sign in) is the user password.

# File lib/devise/models/database_authenticatable.rb, line 71
def valid_password?(password)
  Devise::Encryptor.compare(self.class, encrypted_password, password)
end

Protected Instance Methods

password_digest(password) click to toggle source

Hashes the password using bcrypt. Custom hash functions should override this method to apply their own algorithm.

See github.com/heartcombo/devise-encryptable for examples of other hashing engines.

# File lib/devise/models/database_authenticatable.rb, line 197
def password_digest(password)
  Devise::Encryptor.digest(self.class, password)
end
send_email_changed_notification?() click to toggle source
# File lib/devise/models/database_authenticatable.rb, line 201
def send_email_changed_notification?
  self.class.send_email_changed_notification && devise_saved_change_to_email? && !@skip_email_changed_notification
end
send_password_change_notification?() click to toggle source
# File lib/devise/models/database_authenticatable.rb, line 205
def send_password_change_notification?
  self.class.send_password_change_notification && devise_saved_change_to_encrypted_password? && !@skip_password_change_notification
end