I’m using the “has_secure_password” way to store a secure password in the database. When creating an user by the admin (in my app users are created, users can’t create an account themselves), in the user model the password_digest is filled by a method to create a random password (see code). When the record is then saved, it is saved secure. So the user method is creating a password_digest say “TY5665^%^”, then it is saved in the database say “Y^6&$d%$56GFT”. Great!
before_validation :create_random_password, :on => :create
def create_random_password
self.password_digest = SecureRandom.hex(5)
end
But when the new user logs in and changes his password in his profile, the new password gets saved OK, but unsecured! Say the user is changing it to “password1”, it also gets saved as “password1” in the database. So why is the secure password working on create, but not on update?
Without seeing your update code, make sure your update is to :password, not :password_digest. The magic behind the creation of a password hash to go into :password_digest only starts with :password.
Surprised that you can save your own password directly onto :password_digest and it would work when authenticating. I’d think it would take the password provided by the user, hash it, and then compare the hash to :password_digest (which couldn’t be their password).
This is what I do, which may solve the issue:
Send the user self.temporary_password, and when they update it, change temporary_password to nil. Then you can know when a user has a temporary password that requires changing.