:database_authenticatable issue with clean_passwords

[eppdot]

Within the :database_authenticatable there is an issue at Line 40

Whenever the passwords are cleaned (set to nil), e.g. in the RegistrationsController the encrypted_password remains dirty, which can have heavy security affecting side-effects.

I propose to set the encrypted_password also to nil or to revert to its original value. Here is a little test scenario:

model.password = 'abc'
model.password = nil

model.valid_password? 'abc' => true

[lucasmazza]

@kaelumania sounds reasonable, can you please send a Pull Request for that? Thanks! 😄

[sivagollapalli]

@lucasmazza Should we need reset encrypted_password to nil if the password is nil ? If yes, I think we need to remove NOT NULL constraint for encrypted_password from migration. I just want to confirm prior implementation.

[lucasmazza]

@sivagollapalli no, we don't need to remove the constraint - from @kaelumania's report the goal is to ensure that both attributes are properly in sync, and not let a null password be persisted by the default.

[sivagollapalli]

@lucasmazza So, the above test case should return false but currently, it returns true. Am I right?

[eppdot]

@sivagollapalli yes, I think you are right. We use devise database_authenticatable while allowing nil passwords - which results in no access. Because not every entity in our system has a password or supports access by password. Therefore our barrier to reject access with NO (nil) password is line https://github.com/plataformatec/devise/blob/master/lib/devise/encryptor.rb#L13 that states if the password is nil it is not valid!

[tegon]

Closed via #4261