Create user failure with Rails 7.0 and encryption email

[devon]

Pre-check

class User < ApplicationRecord
  encrypts :email, deterministic: true, downcase: true

  devise :database_authenticatable, :registerable, :recoverable, :rememberable, :validatable
end

Environment

• ruby 3.0.2p107
• Rails 7.0.0
• Devise master branch (commit 025b1c8)

Current behavior

Error when creating user

User.create(email: '[email protected]',  password: 'password', password_confirmation: 'password')

gems/ruby-3.0.2/gems/activerecord-7.0.0/lib/active_record/encryption/encryptor.rb:58:in `rescue in decrypt': ActiveRecord::Encryption::Errors::Decryption (ActiveRecord::Encryption::Errors::Decryption)
gems/ruby-3.0.2/gems/activerecord-7.0.0/lib/active_record/encryption/message_serializer.rb:26:in `rescue in load': ActiveRecord::Encryption::Errors::Encoding (ActiveRecord::Encryption::Errors::Encoding)
rubies/ruby-3.0.2/lib/ruby/3.0.0/json/common.rb:216:in `parse': 809: unexpected token at '' (JSON::ParserError)

Create user successfully if we remove devise from User model.

User.create!(email: '[email protected]')

Expected behavior

Create user successfully when encrypts email.

[robicode]

I was having this issue as well, under Ruby 2.7.5 and 3.0.3, so I started a new application and set up authentication with the vanilla has_secure_password built into Rails. I basically used the same User model and migration provided by Devise but without the devise declarations. I then migrated the database and started a rails console. Surprise! Exact same error without Devise!

After a bit I found out that it was the null: false, default: "" options used on the email column that was the culprit. I removed those options, and now Devise seems to be working perfectly fine :)

[devon]

I was having this issue as well, under Ruby 2.7.5 and 3.0.3, so I started a new application and set up authentication with the vanilla has_secure_password built into Rails. I basically used the same User model and migration provided by Devise but without the devise declarations. I then migrated the database and started a rails console. Surprise! Exact same error without Devise!

After a bit I found out that it was the null: false, default: "" options used on the email column that was the culprit. I removed those options, and now Devise seems to be working perfectly fine :)

Yes, you're right, it works when the email could be nil.

In active record 7.0.1, encrypted_attribute_type.rb, the code detect nil? value, not blank? value:

def decrypt(value)
  with_context do
    encryptor.decrypt(value, **decryption_options) unless value.nil?
  end
  ...
end

Another approach is setup support_unencrypted_data to true:

config.active_record.encryption.support_unencrypted_data = true

[giedriusr]

Why devise has these options in the first place? Why it has null sounds obvious, but why it has default: ""?

[bpurinton]

Why devise has these options in the first place? Why it has null sounds obvious, but why it has default: ""?

@giedriusr I was wondering the same thing, here's how my colleague explained it, and now it makes sense to me:

Database constraints are more reliable than model validations in terms of keeping data integrity. I believe the idea is not that we expect, or even want, a blank email address, but rather we definitely don't want a nil email address. Yes, we can (and should) have validations to make sure that the email is present, but sometimes those can be skipped or maybe someone adds a callback to set the default email but the logic has a bug that sometimes allows nil values in. Constraints can notify people about those situations and uphold data integrity.