0

I am implementing a validation scheme and am using the bcrypt-ruby gem.

require 'bcrypt'

    class User < ActiveRecord::Base

      include BCrypt

      attr_accessor :password

      attr_accessible :name, :email, :password, :password_confirmation

      validates :password, :presence => true, :on => :create,
                           :confirmation => true,
                           :length => {:within => 6..12}

     before_save :encrypt_password

      def has_password?(submitted_password)
      self.encrypted_password == submitted_password # this calls a method in bcrypt    

    # File lib/bcrypt.rb, line 171
    #     def ==(secret)
    #       super(BCrypt::Engine.hash_secret(secret, @salt))
    #     end

      end

    private

      def encrypt_password

           self.encrypted_password = Password.create(password, :cost => 5)  
       end
    end

Now in the console I create a new user

>> user = User.create!(:name => "test", :email => "test@test.com", :password => "foobar", :password_confirmation => "foobar")

=> #<User id: 1, name: "test", email: "test@test.com", created_at: "2011-06-23 05:00:00", updated_at: "2011-06-23 05:00:00", encrypted_password: "$2a$10$I7Wy8NDMeVcNgOsE3J/ZyubiNAESyxA7Z49H4p1x5xxH...">

And if I check if the password is valid I do the following:

>> user.has_password?("foobar")
=> true

but if I get the user from the database it fails:

user = User.find(1)
user.has_password?("foobar")
=> false

Why does that happen and how can I implement bcrypt to make this work?

Thank you in advance.

Chris
  • 5,788
  • 4
  • 29
  • 40
chell
  • 7,646
  • 16
  • 74
  • 140

2 Answers2

0

As described over here you have to use the password class of Bcrypt to utilize the ==

def has_password?(submitted_password)
  Bcrypt::Password.new(self.encrypted_password) == submitted_password
end
Denny Mueller
  • 3,505
  • 5
  • 36
  • 67
0

My guess would be that since encrypted_password is stored in the database as a string and not a BCrypt::Password, you're not calling into BCrypt's ==, but rather String's ==. You have to instantiate an instance of the Password around the string hash value. That would be where I'd look.

Ben Hughes
  • 14,075
  • 1
  • 41
  • 34
  • Is it better to store a BCrypt::Password in the db instead of encypted_password? How can I do that? – chell Jun 23 '11 at 10:41