18F · mitchellhenke · Jan 24, 2023 · Jan 24, 2023 · mitchellhenke · Jan 24, 2023
diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb
@@ -15,7 +15,6 @@ class SessionsController < Devise::SessionsController
     before_action :check_user_needs_redirect, only: [:new]
     before_action :apply_secure_headers_override, only: [:new, :create]
     before_action :clear_session_bad_password_count_if_window_expired, only: [:create]
-    before_action :update_devise_params_sanitizer, only: [:new]
 
     def new
       analytics.sign_in_page_visit(
@@ -240,8 +239,8 @@ def override_csp_for_google_analytics
       request.content_security_policy = policy
     end
 
-    def update_devise_params_sanitizer
-      devise_parameter_sanitizer.permit(:sign_in, except: [:email, :password]) if !request.post?
+    def sign_in_params
+      params[resource_name]&.permit(:email) if request.post?
     end
   end
 

diff --git a/spec/controllers/users/sessions_controller_spec.rb b/spec/controllers/users/sessions_controller_spec.rb
@@ -235,6 +235,7 @@
         sp_request_url_present: false,
         remember_device: false,
       }
+      expect(SCrypt::Engine).to receive(:hash_secret).once.and_call_original
 
       expect(@analytics).to receive(:track_event).
         with('Email and Password Authentication', analytics_hash)
@@ -252,6 +253,7 @@
         sp_request_url_present: false,
         remember_device: false,
       }
+      expect(SCrypt::Engine).to receive(:hash_secret).once.and_call_original
 
       expect(@analytics).to receive(:track_event).
         with('Email and Password Authentication', analytics_hash)