has_secure_password is great and was largely easy to implement in favour or heavier auth gems. It does have some quirks:
- No minimum password length enforcement
- No support for a ‘set password only’ form where the user is just entering (or resetting) their password without other details present. If the user doesn’t enter a password (i.e. an empty string is set), the password setter doesn’t set the empty string, it simply doesn’t assign a password at all. This skips any manual minimum password length validations (since these need to be
A more complete description of the problem is here: Updating password defined by `has_secured_password` with empty string does not trigger validation error · Issue #34348 · rails/rails · GitHub
I wonder if we could use the attributes api to back this virtual password column instead?
In case any of the above was unclear, I just struggled to implement a fairly common pattern (don’t set a password on user creation (if created by an admin), or set a random password), then email the user to ask them to activate their account by setting a password. This is difficult out of the box with