Conversation
**Why**: Devise depends on the authenticable salt method, namely for serializing a user into the session: https://github.com/plataformatec/devise/blob/master/lib/devise/models/authenticatable.rb#L233-L235 Credit to @monfresh for finding this bug.
| encrypted_password_digest | ||
| ).password_salt | ||
| end | ||
|
|
There was a problem hiding this comment.
Should we add a comment saying this is a Devise method required for authentication that we are overriding and that should not be removed as long as we need to override it?
| end | ||
|
|
||
| def authenticatable_salt | ||
| return if encrypted_password_digest.blank? |
There was a problem hiding this comment.
I don't think we want to return here. There are probably some users who don't yet have an encrypted_password_digest, right? If those users sign in with RC 59, which uses password_salt as the authenticatable_salt, and then they hit RC 60, the salt will be different and their session will be dropped.
There was a problem hiding this comment.
There are not users who don't have an encrypted password digest. Those have been backfilled.
There was a problem hiding this comment.
Rather, there should not be users who have an encrypted password but not an encrypted password digest.
2 participants
Why: Devise depends on the authenticable salt method, namely for
serializing a user into the session:
https://github.com/plataformatec/devise/blob/master/lib/devise/models/authenticatable.rb#L233-L235
Credit to @monfresh for finding this bug.
Hi! Before submitting your PR for review, and/or before merging it, please
go through the following checklist:
For DB changes, check for missing indexes, check to see if the changes
affect other apps (such as the dashboard), make sure the DB columns in the
various environments are properly populated, coordinate with devops, plan
migrations in separate steps.
For route changes, make sure GET requests don't change state or result in
destructive behavior. GET requests should only result in information being
read, not written.
For encryption changes, make sure it is compatible with data that was
encrypted with the old code.
For secrets changes, make sure to update the S3 secrets bucket with the
new configs in all environments.
Do not disable Rubocop or Reek offenses unless you are absolutely sure
they are false positives. If you're not sure how to fix the offense, please
ask a teammate.
When reading data, write tests for nil values, empty strings,
and invalid formats.
When calling
redirect_toin a controller, use_url, not_path.When adding user data to the session, use the
user_sessionhelperinstead of the
sessionhelper so the data does not persist beyond the user'ssession.
When adding a new controller that requires the user to be fully
authenticated, make sure to add
before_action :confirm_two_factor_authenticated.