1
0
Fork 0
forked from OpenNeo/impress

Oops, stop requiring a new password whenever AuthUser is changed

Ah right, I went and checked the Devise source code, and the default
implementation for `password_required?` is a bit trickier than I
expected:

```ruby
def password_required?
  !persisted? || !password.nil? || !password_confirmation.nil?
end
```

Looks like `super` does a good enough job here, though! (I'm actually
kinda surprised, I wasn't sure how Ruby's `super` rules worked, and
this isn't a subclass thing—or maybe it is, maybe the `devise` method
adds a mixin? Idk! But it does what I expect, so, great!)

So now, we require the password if 1) Devise doesn't see a UI reason
not to, *and* 2) the user isn't using OmniAuth (i.e. NeoPass).

This had caused a bug where it was impossible to use the Settings page
*without* changing your password! (The form says it's okay to leave it
blank, which stopped being true! But now it's fixed!)
This commit is contained in:
Emi Matchu 2024-03-14 19:19:56 -07:00
parent 3eeb5d1065
commit 7f4c34ff6a
2 changed files with 3 additions and 2 deletions

View file

@ -37,7 +37,7 @@ class AuthUser < AuthRecord
end end
def password_required? def password_required?
!uses_omniauth? super && !uses_omniauth?
end end
def self.from_omniauth(auth) def self.from_omniauth(auth)

View file

@ -136,7 +136,8 @@ Rails.application.configure do
config.public_data_root = Rails.root / "public" / "public-data" config.public_data_root = Rails.root / "public" / "public-data"
# To see NeoPass features, add ?neopass=<SECRET> to relevant pages. # To see NeoPass features, add ?neopass=<SECRET> to relevant pages.
config.neopass_access_secret = Rails.credentials.neopass.access_secret config.neopass_access_secret =
Rails.application.credentials.neopass.access_secret
# Use the live NeoPass production server. # Use the live NeoPass production server.
config.neopass_origin = "https://oidc.neopets.com" config.neopass_origin = "https://oidc.neopets.com"