Remove legacy salt in password setter

moritzhoeppner · moritzhoeppner · commit 4465f98c92de · 2025-03-22T14:46:27.000+01:00
diff --git a/lib/devise-argon2/model.rb b/lib/devise-argon2/model.rb
@@ -38,6 +38,11 @@ def valid_password?(password)
         is_valid
       end
 
+      def password=(new_password)
+        self.password_salt = nil if migrate_hash_from_devise_argon2_v1?
+        super
+      end
+
       protected
 
       def password_digest(password)
diff --git a/spec/devise-argon2_spec.rb b/spec/devise-argon2_spec.rb
@@ -302,4 +302,38 @@ def work_factors(hash)
       )
     end
   end
+
+  describe 'password reset' do
+    NEW_PASSWORD = 'new password'
+
+    shared_examples 'ways of resetting the password' do
+      it 'can be done via password_reset' do
+        user.reset_password(NEW_PASSWORD, NEW_PASSWORD)
+        expect(user.valid_password?(NEW_PASSWORD)).to be true
+      end
+
+      it 'can be done via password=' do
+        user.password = NEW_PASSWORD
+        expect(user.valid_password?(NEW_PASSWORD)).to be true
+      end
+    end
+
+    context 'encrypted_password is hashed with the current version of devise-argon2' do
+      include_examples 'ways of resetting the password'
+    end
+
+    context 'encrypted_password is hashed with version 1 of devise-argon2' do
+      let(:user) { OldUser.new(password: CORRECT_PASSWORD) }
+
+      before do
+        Devise.argon2_options.merge!({ migrate_from_devise_argon2_v1: true })
+        user.password_salt = 'devise-argon2 v1 salt'
+        user.encrypted_password = ::Argon2::Password.create(
+          "#{CORRECT_PASSWORD}#{user.password_salt}#{Devise.pepper}"
+        )
+      end
+
+      include_examples 'ways of resetting the password'
+    end
+  end
 end
diff --git a/spec/rails_app/app/active_record/old_user.rb b/spec/rails_app/app/active_record/old_user.rb
@@ -1,3 +1,3 @@
 class OldUser < ActiveRecord::Base
-  devise :database_authenticatable, :argon2
+  devise :database_authenticatable, :recoverable, :argon2
 end
diff --git a/spec/rails_app/app/active_record/user.rb b/spec/rails_app/app/active_record/user.rb
@@ -1,3 +1,3 @@
 class User < ActiveRecord::Base
-  devise :database_authenticatable, :argon2
+  devise :database_authenticatable, :recoverable, :argon2
 end
diff --git a/spec/rails_app/app/mongoid/old_user.rb b/spec/rails_app/app/mongoid/old_user.rb
@@ -1,7 +1,7 @@
 class OldUser
   include Mongoid::Document
   
-  devise :database_authenticatable, :argon2
+  devise :database_authenticatable, :recoverable, :argon2
 
   field :email,              type: String, default: ""
   field :encrypted_password, type: String, default: ""
diff --git a/spec/rails_app/app/mongoid/user.rb b/spec/rails_app/app/mongoid/user.rb
@@ -1,7 +1,7 @@
 class User
   include Mongoid::Document
   
-  devise :database_authenticatable, :argon2
+  devise :database_authenticatable, :recoverable, :argon2
 
   field :email,              type: String, default: ""
   field :encrypted_password, type: String, default: ""
diff --git a/spec/rails_app/db/migrate/20250319085725_add_recoverable_fields_to_users.rb b/spec/rails_app/db/migrate/20250319085725_add_recoverable_fields_to_users.rb
@@ -0,0 +1,6 @@
+class AddRecoverableFieldsToUsers < ActiveRecord::Migration[7.2]
+  def change
+    add_column :users, :reset_password_token, :string
+    add_column :users, :reset_password_sent_at, :datetime
+  end
+end
diff --git a/spec/rails_app/db/migrate/20250319085738_add_recoverable_fields_to_old_users.rb b/spec/rails_app/db/migrate/20250319085738_add_recoverable_fields_to_old_users.rb
@@ -0,0 +1,6 @@
+class AddRecoverableFieldsToOldUsers < ActiveRecord::Migration[7.2]
+  def change
+    add_column :old_users, :reset_password_token, :string
+    add_column :old_users, :reset_password_sent_at, :datetime
+  end
+end
diff --git a/spec/rails_app/db/schema.rb b/spec/rails_app/db/schema.rb
@@ -10,13 +10,15 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2023_10_04_084147) do
+ActiveRecord::Schema.define(version: 2025_03_19_085738) do
   create_table "old_users", force: :cascade do |t|
     t.string "email", default: "", null: false
     t.string "encrypted_password", default: "", null: false
     t.string "password_salt"
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
+    t.string "reset_password_token"
+    t.datetime "reset_password_sent_at"
     t.index ["email"], name: "index_old_users_on_email", unique: true
   end
 
@@ -25,7 +27,8 @@
     t.string "encrypted_password", default: "", null: false
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
+    t.string "reset_password_token"
+    t.datetime "reset_password_sent_at"
     t.index ["email"], name: "index_users_on_email", unique: true
   end
-
 end
