has_secure_password: fix password validation.

callmesangio · callmesangio · commit 9fc0effe5a50 · 2025-07-21T17:53:22.000+02:00
Previously, the password confirmation validation added by `has_secure_password` was skipped if the password string was a sequence of whitespace characters, regardless of the string provided as confirmation, which was ignored with no error messages. This change fixes that behavior, so that the confirmation validation runs consistently, independently of the password string content. Fixes rails#55225
diff --git a/activemodel/lib/active_model/secure_password.rb b/activemodel/lib/active_model/secure_password.rb
@@ -155,7 +155,7 @@ def has_secure_password(attribute = :password, validations: true, reset_token: t
             end
           end
 
-          validates_confirmation_of attribute, allow_blank: true
+          validates_confirmation_of attribute, allow_nil: true
         end
 
         # Only generate tokens for records that are capable of doing so (Active Records, not vanilla Active Models)
diff --git a/activemodel/test/cases/secure_password_test.rb b/activemodel/test/cases/secure_password_test.rb
@@ -104,6 +104,14 @@ class SecurePasswordTest < ActiveModel::TestCase
     assert_equal ["doesn't match Password"], @user.errors[:password_confirmation]
   end
 
+  test "create a new user with validation, a spaces only password, and an incorrect password confirmation" do
+    @user.password = " "
+    @user.password_confirmation = "something else"
+    assert_not @user.valid?(:create), "user should be invalid"
+    assert_equal 1, @user.errors.count
+    assert_equal ["doesn't match Password"], @user.errors[:password_confirmation]
+  end
+
   test "resetting password to nil clears the password cache" do
     @user.password = "password"
     @user.password = nil
@@ -179,6 +187,14 @@ class SecurePasswordTest < ActiveModel::TestCase
     assert_equal ["doesn't match Password"], @existing_user.errors[:password_confirmation]
   end
 
+  test "updating an existing user with validation, a spaces only password, and an incorrect password confirmation" do
+    @existing_user.password = " "
+    @existing_user.password_confirmation = "something else"
+    assert_not @existing_user.valid?(:update), "user should be invalid"
+    assert_equal 1, @existing_user.errors.count
+    assert_equal ["doesn't match Password"], @existing_user.errors[:password_confirmation]
+  end
+
   test "updating an existing user with validation and a correct password challenge" do
     @existing_user.password = "new password"
     @existing_user.password_challenge = "password"
