From 7f4c34ff6aad2fa949e2d7456ab0c844fa8c615d Mon Sep 17 00:00:00 2001 From: Emi Matchu Date: Thu, 14 Mar 2024 19:19:56 -0700 Subject: [PATCH] Oops, stop requiring a new password whenever AuthUser is changed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ah right, I went and checked the Devise source code, and the default implementation for `password_required?` is a bit trickier than I expected: ```ruby def password_required? !persisted? || !password.nil? || !password_confirmation.nil? end ``` Looks like `super` does a good enough job here, though! (I'm actually kinda surprised, I wasn't sure how Ruby's `super` rules worked, and this isn't a subclass thing—or maybe it is, maybe the `devise` method adds a mixin? Idk! But it does what I expect, so, great!) So now, we require the password if 1) Devise doesn't see a UI reason not to, *and* 2) the user isn't using OmniAuth (i.e. NeoPass). This had caused a bug where it was impossible to use the Settings page *without* changing your password! (The form says it's okay to leave it blank, which stopped being true! But now it's fixed!) --- app/models/auth_user.rb | 2 +- config/environments/production.rb | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/app/models/auth_user.rb b/app/models/auth_user.rb index 89b4a226..5830abc5 100644 --- a/app/models/auth_user.rb +++ b/app/models/auth_user.rb @@ -37,7 +37,7 @@ class AuthUser < AuthRecord end def password_required? - !uses_omniauth? + super && !uses_omniauth? end def self.from_omniauth(auth) diff --git a/config/environments/production.rb b/config/environments/production.rb index 6be22103..32d4f8ab 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -136,7 +136,8 @@ Rails.application.configure do config.public_data_root = Rails.root / "public" / "public-data" # To see NeoPass features, add ?neopass= to relevant pages. - config.neopass_access_secret = Rails.credentials.neopass.access_secret + config.neopass_access_secret = + Rails.application.credentials.neopass.access_secret # Use the live NeoPass production server. config.neopass_origin = "https://oidc.neopets.com"