How to verify a user's password in Devise

Question

I'm having a problem matching user password using devise gem in rails. User password stored on my db which is encrypted_password and i am trying to find user by password, but I don't understand how to match password from form and encrypted_password in my db.

User.find_by_email_and_password(params[:user][:email], params[:user][:password])

I think the correct answer has been offered up. Can you select it? — Brendon Muir, Apr 08 '13 at 04:25

score 280 · Answer 1 · edited Jul 25 '11 at 21:39

280

I think this is a better, and more elegant way of doing it:

user = User.find_by_email(params[:user][:email])
user.valid_password?(params[:user][:password])

The other method where you generate the digest from the user instance was giving me protected method errors.

edited Jul 25 '11 at 21:39

Arnaud Leymet

5,995
4
35
51

answered Dec 06 '10 at 19:23

joshaidan

3,842
1
22
17

2

password digest is protected, you can get around it this way. User.new.send(:password_digest, 'password') – Mark Swardstrom Oct 27 '13 at 06:25
but this would lead to guessing the user password in some context, how to check password and still benefit from devise throttling protection? – simo Dec 25 '19 at 14:21
Thanks a lot sir, this is exactly what i am searching. – Jigar Bhatt Mar 01 '22 at 06:01

Sheharyar · Answer 2 · 2017-03-11T18:14:36.953

Use Devise Methods

Devise provides you with built-in methods to verify a user's password:

user = User.find_for_authentication(email: params[:user][:email])

user.valid_password?(params[:user][:password])

For Rails 4+ with Strong Params, you can do something like this:

def login
  user = User.find_for_authentication(email: login_params[:email])

  if user.valid_password?(login_params[:password])
    user.remember_me = login_params[:remember_me]
    sign_in_and_redirect(user, event: :authentication)
  end
end

private
def login_params
  params.require(:user).permit(:email, :password, :remember_me)
end

score 6 · Answer 3 · edited Nov 26 '15 at 18:20

6

I think the better one will be this

valid_password = User.find_by_email(params[:user][:email]).valid_password?(params[:user][:password])

edited Nov 26 '15 at 18:20

Uri

2,306
2
24
25

answered May 06 '14 at 09:00

Amrit Dhungana

4,371
5
31
36

4

That would set user to a boolean value (whether the password was valid or not). – Ryan Taylor Jun 02 '15 at 16:45

score 1 · Answer 4 · answered Apr 12 '22 at 19:26

For 2022, devise is required to add :database_authenticatable to use valid_password? method

class User < ApplicationRecord
  devise :xxxable, :yyyable, :database_authenticatable

But, if you need only to verify the entering password just go like this

class User < ApplicationRecord
  devise :xxxable, :yyyable#, :database_authenticatable
  def valid_password?(verifying_word)
    password_digest_instance = BCrypt::Password.new(self.password_digest)
    current_password_salt = password_digest_instance.salt
    hashed_verifying_word_with_same_salt = BCrypt::Engine.hash_secret(verifying_word, current_password_salt)
    Devise.secure_compare(hashed_verifying_word_with_same_salt, self.password_digest)

Then

user = User.find_by(email: params[:user][:email])
user = nil unless user.try(:valid_password?, params[:user][:password])

score 0 · Answer 5 · answered May 02 '16 at 19:03

0

I would suggest this.

user = User.where("email=? OR username=?", email_or_username, email_or_username).first.valid_password?(user_password)

answered May 02 '16 at 19:03

Roshan

905
9
21

How to verify a user's password in Devise

5 Answers5

Use Devise Methods

Linked