Skip to content

Raise ArgumentError when calling change_password! with blank password #333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 8, 2023
Merged

Raise ArgumentError when calling change_password! with blank password #333

merged 2 commits into from
Feb 8, 2023

Conversation

Spone
Copy link
Contributor

@Spone Spone commented Jan 18, 2023
edited
Loading

Close #329

When calling @user.change_password!("") or @user.change_password!(nil), a ArgumentError exception is now raised, because the password is missing, so it won't be modified.

Please ensure your pull request includes the following:

  • Description of changes
  • Update to CHANGELOG.md with short description and link to pull request
  • Changes have related RSpec tests that ensure functionality does not break

@Spone Spone mentioned this pull request Jan 18, 2023
Closed
@joshbuker
Copy link
Member

joshbuker commented Jan 19, 2023
edited
Loading

Digging through the code, I can't put a finger on where it prevents change_password from accepting a nil/blank password. As far as I can tell, it should pass it to the crypto provider (usually bcrypt), which will accept nil/blank. That said, I tried it locally, and change_password will indeed do nothing if you set the new password as nil/blank.

Not necessarily a blocker on this PR, but I would like to understand better what is going on there.

@Spone
Copy link
Contributor Author

Spone commented Jan 19, 2023

I only changed the bang version (change_password!). Would it make sense to modify change_password's behavior as well? I'm not sure.

@Spone
Copy link
Contributor Author

Spone commented Feb 8, 2023

@joshbuker I'm awaiting further instructions here :)

@joshbuker
Copy link
Member

At the dentist, I'll take another look and probably merge this in about an hour.

@joshbuker joshbuker merged commit b747516 into Sorcery:master Feb 8, 2023
@joshbuker
Copy link
Member

Looks good, at some point I should dig more into that code to understand what's going on, and this is a bit of a breaking change API-wise. That said, I suspect it shouldn't be an issue, considering most (all?) applications would raise an error on blank password with the virtual attribute validators anyway.

@Spone Spone deleted the change-password-silent-fail branch February 8, 2023 23:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshbuker joshbuker joshbuker approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

#change_password! with an empty string fails silently
2 participants
@Spone @joshbuker