password param not being included in strong params

Question

I'm using Bcrypt with has_secure_password in my User class, and trying to create a new User with username and password, but the password param, although permitted in my strong params, is not coming through.

This is my User class:

class User < ApplicationRecord
  has_secure_password

  has_many :journals
end

This is the User Controller:

class Api::V1::UsersController < ActionController::API
  def index
    @users = User.all
    render json: @users.to_json(:include => :journals)
  end

  def create
    byebug
    @user = User.create(user_params)
  end

  private

  def user_params
    params.require(:user).permit(:username, :password)
  end
end

I'm trying to post a new user with:

fetch('http://localhost:3001/api/v1/users', {
method: 'POST', 
headers: {Accept: 'application/json', "Content-Type": 
'application/json'}, 
body: JSON.stringify({username: 'Name', password: 'test'})})

and the result, inside the byebug in 'create', is:

(byebug) params
<ActionController::Parameters {"username"=>"Name", "password"=>"test", 
"controller"=>"api/v1/users", "action"=>"create", "user"=> . 
{"username"=>"Name"}} permitted: false>
(byebug) user_params
<ActionController::Parameters {"username"=>"Name"} permitted: true>

No matter what I try, I cannot access the password param in user_params to create a user with a hashed password.

In terminal, in rails console, I can create a user and the password gets hashed as expected, I can then fetch that user information from the API with a normal fetch request, but I cannot use strong params to create a User with a Post request, and I don't know why.

score 14 · Accepted Answer · edited Jun 20 '20 at 09:12

14

but I cannot use strong params to create a User with a Post request, and I don't know why.

Mainly because you're not using strong params correctly.

params.require(:user).permit(:username, :password)

This means that you need to pass {user: {username: 'foo', password: 'bar'}} instead of {username: 'foo', password: 'bar'} (see the nesting?).

But even though you don't pass params[:user][:username], it is somehow magically there. How? ParamsWrapper, that's how.

If you enable ParamsWrapper for :json format, instead of having to send JSON parameters like this:
{"user": {"name": "Konata"}}
You can send parameters like this:
{"name": "Konata"}

Yes, but why password doesn't get the same treatment? We find out a few lines below:

On Active Record models with no :include or :exclude option set, it will only wrap the parameters returned by the class method attribute_names.

password is not an attribute/column in your model, so params wrapper ignores it.

edited Jun 20 '20 at 09:12

Community

1
1

answered Jun 19 '18 at 22:40

Sergio Tulentsev

226,338
43
373
367

@robert did this help? – Sergio Tulentsev Jun 20 '18 at 06:59
Thank you! That explained it perfectly. I wasn't aware of ParamsWrapper and thought I was missing something about how to use has_secure_password. – Robert Jun 20 '18 at 17:25
First question I’ve asked, didn’t realize I had to. Thanks for your help! – Robert Jun 20 '18 at 23:27
Mystery solved! – Ray Jasson Apr 08 '22 at 13:53

password param not being included in strong params

1 Answers1

Linked