Prevent error when authenticating user with a blank password digest

mibradev · p8 · mibradev · commit d1d4a54c2344 · 2021-09-24T09:28:10.000+02:00
Co-authored-by: Petrik de Heus &lt;petrik@deheus.net&gt;
diff --git a/activemodel/lib/active_model/secure_password.rb b/activemodel/lib/active_model/secure_password.rb
@@ -118,7 +118,7 @@ def initialize(attribute)
         #   user.authenticate_password('mUc3m00RsqyRe') # => user
         define_method("authenticate_#{attribute}") do |unencrypted_password|
           attribute_digest = public_send("#{attribute}_digest")
-          BCrypt::Password.new(attribute_digest).is_password?(unencrypted_password) && self
+          attribute_digest.present? && BCrypt::Password.new(attribute_digest).is_password?(unencrypted_password) && self
         end
 
         alias_method :authenticate, :authenticate_password if attribute == :password
diff --git a/activemodel/test/cases/secure_password_test.rb b/activemodel/test/cases/secure_password_test.rb
@@ -212,6 +212,11 @@ class SecurePasswordTest < ActiveModel::TestCase
     assert_equal @user, @user.authenticate_recovery_password("42password")
   end
 
+  test "authenticate should return false and not raise when password digest is blank" do
+    @user.password_digest = " "
+    assert_equal false, @user.authenticate(" ")
+  end
+
   test "Password digest cost defaults to bcrypt default cost when min_cost is false" do
     ActiveModel::SecurePassword.min_cost = false
 
