For now, using the feature: rails g authentication
in rails 8
if we create two users with the same one password, then password_digest
is same too.
I suppose should add salt(which generate random by bcrypt) to make password more scure.
I think we can learn from here
Have you included the bcrypt gem? It should be generating a salt each time and storing that in the field. See this StackOverflow answer for how that works.
yes, bcrypt
already salt the password by default.
At the beginning, I habitually think that there must br a independent field of salt
in table of user. later I found that both password hash and password salt already saved in just one field which is password_digest
.
and I found the entire process is:
- find the user by email_address
- extract the salt by the
user.password_digest.salt
- calculate digest of the salt and params[:password]
- compare the digest and password_digest in db
Any way, thank you so much on this
@ElbertDue I have to prove you wrong on that
class User < ApplicationRecord
has_secure_password
has_many :sessions, dependent: :destroy
normalizes :email_address, with: ->(value) { value.strip.downcase }
end
$ rails c
Loading development environment (Rails 8.0.1)
app(dev)> u1 = User.new(email_address: "john@doe.tld", password: "password")
=> #<User:0x0000ffff8b10fc58 id: nil, email_address: "[FILTERED]", password_digest: "[FILTERED]", created_at: nil, updated_at: nil>
app(dev)> u1.password_digest
=> "$2a$12$eYqyYQ.b5jZ79MJ8Y6u4T.Yu7Z90TzEyYPZ2LXRp7ezcESFTXca0W"
app(dev)> u2 = User.new(email_address: "jane@doe.tld", password: "password")
=> #<User:0x0000ffff8b059250 id: nil, email_address: "[FILTERED]", password_digest: "[FILTERED]", created_at: nil, updated_at: nil>
app(dev)> u2.password_digest
=> "$2a$12$Pl1vN7L7t3ZbK8W/e15tHeLKYEN8OGkPu.dqSve7fhU3ezxb7lt.2"
app(dev)> u1.password_digest === u2.password_digest
=> false
1 Like