Merge pull request rails#43284 from mibradev/password-digest-nil

rafaelfranca · web-flow · commit 902e829914f3 · 2021-11-25T13:59:42.000-05:00
Prevent error when authenticating user with a blank password digest
diff --git a/activemodel/lib/active_model/secure_password.rb b/activemodel/lib/active_model/secure_password.rb
@@ -119,7 +119,7 @@ def initialize(attribute)
         #   user.authenticate_password('mUc3m00RsqyRe') # => user
         define_method("authenticate_#{attribute}") do |unencrypted_password|
           attribute_digest = public_send("#{attribute}_digest")
-          BCrypt::Password.new(attribute_digest).is_password?(unencrypted_password) && self
+          attribute_digest.present? && BCrypt::Password.new(attribute_digest).is_password?(unencrypted_password) && self
         end
 
         alias_method :authenticate, :authenticate_password if attribute == :password
diff --git a/activemodel/test/cases/secure_password_test.rb b/activemodel/test/cases/secure_password_test.rb
@@ -218,6 +218,11 @@ class SecurePasswordTest < ActiveModel::TestCase
     assert_equal @user, @user.authenticate_recovery_password("42password")
   end
 
+  test "authenticate should return false and not raise when password digest is blank" do
+    @user.password_digest = " "
+    assert_equal false, @user.authenticate(" ")
+  end
+
   test "Password digest cost defaults to bcrypt default cost when min_cost is false" do
     ActiveModel::SecurePassword.min_cost = false
 
