2

We support a bit of an unusual scheme. We don't require a password on User creation, and use password_resets to add a password to the user later, on demand. The problem is, once a password is created, the console indicates the password is valid:

user.valid_password? 'test'
=> true

but in my UserSessions controller, @user_session.save returns false using the same password. What am I not seeing?

Kimball

UPDATE:

Providing more details, here is the output when saving the new password:

Processing PasswordResetsController#update (for 127.0.0.1 at 2011-01-31 14:01:12) [PUT] Parameters: {"commit"=>"Update password", "action"=>"update", "_method"=>"put", "authenticity_token"=>"PQD4+eIREKBfHR3/fleWuQSEtZd7RIvl7khSYo5eXe0=", "id"=>"v3iWW5eD9P9frbEQDvxp", "controller"=>"password_resets", "user"=>{"password"=>"johnwayne"}}

The applicable SQL is:

UPDATE users SET updated_at = '2011-01-31 22:01:12',
crypted_password = 'blah',
perishable_token = 'blah',
password_salt = 'blah',
persistence_token = 'blah'
WHERE id = 580

I don't see an error per se, @user_session.save just returns false, as if the password didn't match.

I skip validating passwords in the User model:

class User < ActiveRecord::Base
acts_as_authentic do |c|
c.validate_password_field = false
end

Here's the simplified controller code:

def create
logger.info("SAVED SESSION? #{@user_session.save}")
end

which outputs:

Processing UserSessionsController#create (for 127.0.0.1 at 2011-01-31 14:16:59) [POST]
Parameters: {"commit"=>"Login", "user_session"=>{"remember_me"=>"0", "password"=>"johnwayne", "email"=>"test@email.com"}, "action"=>"create", "authenticity_token"=>"PQD4+eIREKBfHR3/fleWuQSEtZd7RIvl7khSYo5eXe0=", "controller"=>"user_sessions"}
User Columns (2.2ms) SHOW FIELDS FROM users
User Load (3.7ms) SELECT * FROM users WHERE (users.email = 'test@email.com') ORDER BY email ASC LIMIT 1
SAVED SESSION? false
CACHE (0.0ms) SELECT * FROM users WHERE (users.email = 'test@email.com') ORDER BY email ASC LIMIT 1
Redirected to http://localhost:3000/login

Lastly, the console indicates that the new password is valid:

$ u.valid_password? 'johnwayne'
=> true

Would love to do it all in the console, is there a way to load UserSession controller and call methods directly?

Kimball

kbighorse
  • 389
  • 1
  • 2
  • 15
  • When you are saving the user again, what fields are you setting? – Michael Papile Jan 31 '11 at 21:40
  • Is there a password confirmation that you need to provide as well? If not, can you please include the validation error message from the user model? – Pan Thomakos Jan 31 '11 at 21:41
  • authlogic requires a password_confirmation field when adding the User, but not for authentication. I agree with @Pan Thomakos, post the error message, please. – tomeduarte Jan 31 '11 at 21:48
  • edited my question with more detail, thank you for taking a look! The password_confirmation is a great point, one thing I forgot to mention is that users that created accounts with a password can successfully change their passwords and log in with it. – kbighorse Jan 31 '11 at 22:30
  • 1
    In answer to your last point: http://www.tatvartha.com/2009/09/working-with-authlogic-in-scriptconsole/ – zetetic Feb 01 '11 at 04:50

3 Answers3

2

on your object you are saving, call after save u.errors.full_messages.inspect What is the output of this. also do u.valid?

Michael Papile
  • 6,836
  • 30
  • 30
1

Users will also be denied access if their failed_login_count is over 50, per Authlogic::Session::BruteForceProtection.

MustModify
  • 657
  • 10
  • 20
1

Turns out I had an 'active' attribute on my User model that needs to be true to allow logins. I found the problem by using @zetitic's link to try to create a UserSession. The errors.full_messages on the created UserSession object showed the error. Many thanks to everyone for your help! I do wish I'd seen the error in the log, but that's another matter..

kbighorse
  • 389
  • 1
  • 2
  • 15