From fe9da7988fbb1511fab6d985aa7b4c155cfe6c50 Mon Sep 17 00:00:00 2001 From: taitus Date: Fri, 28 Jul 2023 10:21:24 +0200 Subject: [PATCH] Enable password_complexity As it seems that adding complexity to the password is something that might be wanted from the Consul applications, we added the necessary changes to allow it. In this version we simply: - Uncomment the configuration variable "password_complexity" - Set this variable without any restrictions - Adapt the application so that everything still works normally. One of the things that had to be done to adapt the application was to remove the overwriting of the "self.included" method. The original idea of overwriting the "self.included" method seems to be the possibility of being able to overwrite the :current_equal_password_validation validation. The problem comes from the fact that by only calling that validation, the rest of the validations that are defined (in this case "password_complexity") are no longer applied. It seems like a good idea to remove the overwrite of the "self.included" method to allow all the defined validations to be applied and simply overwrite the :current_equal_password_validation method so that everything behaves the same. :allow_passwords_equal_to_email configuration has been enabled too, in order to allow existing records with this configuration. Another change made was to uncomment the line: and to keep everything working the same set the value to false: config.email_validation = false. This change has had to be made because in the documentation of devise-security it says the following: In other words, if we want to use the :secure_validatable module we have to enable this configuration even if its value is "false". If we kept the configuration variable commented out: The following error appears: "uninitialized constant Devise::Models::SecureValidatable::EmailValidator". So it has been verified that if before making any change we decommented the line and added the value of "false", the application worked as normal. --- config/initializers/devise-security.rb | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/config/initializers/devise-security.rb b/config/initializers/devise-security.rb index f7ff3bc28..dde3e34e3 100644 --- a/config/initializers/devise-security.rb +++ b/config/initializers/devise-security.rb @@ -8,7 +8,7 @@ Devise.setup do |config| # Need 1 char each of: A-Z, a-z, 0-9, and a punctuation mark or symbol # You may use "digits" in place of "digit" and "symbols" in place of # "symbol" based on your preference - # config.password_complexity = { digit: 1, lower: 1, symbol: 1, upper: 1 } + config.password_complexity = { digit: 0, lower: 0, symbol: 0, upper: 0 } # How many passwords to keep in archive # config.password_archiving_count = 5 @@ -21,7 +21,7 @@ Devise.setup do |config| # enable email validation for :secure_validatable. (true, false, validation_options) # dependency: see https://github.com/devise-security/devise-security/blob/master/README.md#e-mail-validation - # config.email_validation = true + config.email_validation = false # captcha integration for recover form # config.captcha_for_recover = true @@ -42,7 +42,7 @@ Devise.setup do |config| # config.expire_after = 90.days # Allow password to equal the email - # config.allow_passwords_equal_to_email = false + config.allow_passwords_equal_to_email = true end module Devise @@ -58,14 +58,6 @@ module Devise end module SecureValidatable - def self.included(base) - base.extend ClassMethods - assert_secure_validations_api!(base) - base.class_eval do - validate :current_equal_password_validation - end - end - def current_equal_password_validation if !new_record? && !encrypted_password_change.nil? && !erased? dummy = self.class.new