Merge pull request rails#55232 from callmesangio/fix-gh-55225

byroot · web-flow · commit 1351d545005a · 2025-07-22T17:19:04.000+02:00
`has_secure_password`: fix password validation.
diff --git a/activemodel/lib/active_model/secure_password.rb b/activemodel/lib/active_model/secure_password.rb
@@ -155,7 +155,7 @@ def has_secure_password(attribute = :password, validations: true, reset_token: t
             end
           end
 
-          validates_confirmation_of attribute, allow_blank: true
+          validates_confirmation_of attribute, allow_nil: true
         end
 
         # Only generate tokens for records that are capable of doing so (Active Records, not vanilla Active Models)
diff --git a/activemodel/test/cases/secure_password_test.rb b/activemodel/test/cases/secure_password_test.rb
@@ -104,6 +104,14 @@ class SecurePasswordTest < ActiveModel::TestCase
     assert_equal ["doesn't match Password"], @user.errors[:password_confirmation]
   end
 
+  test "create a new user with validation, a spaces only password, and an incorrect password confirmation" do
+    @user.password = " "
+    @user.password_confirmation = "something else"
+    assert_not @user.valid?(:create), "user should be invalid"
+    assert_equal 1, @user.errors.count
+    assert_equal ["doesn't match Password"], @user.errors[:password_confirmation]
+  end
+
   test "resetting password to nil clears the password cache" do
     @user.password = "password"
     @user.password = nil
@@ -179,6 +187,14 @@ class SecurePasswordTest < ActiveModel::TestCase
     assert_equal ["doesn't match Password"], @existing_user.errors[:password_confirmation]
   end
 
+  test "updating an existing user with validation, a spaces only password, and an incorrect password confirmation" do
+    @existing_user.password = " "
+    @existing_user.password_confirmation = "something else"
+    assert_not @existing_user.valid?(:update), "user should be invalid"
+    assert_equal 1, @existing_user.errors.count
+    assert_equal ["doesn't match Password"], @existing_user.errors[:password_confirmation]
+  end
+
   test "updating an existing user with validation and a correct password challenge" do
     @existing_user.password = "new password"
     @existing_user.password_challenge = "password"
