user.valid_password? not work if encrypt provider is sha512 and user.stretches has specified

[bitberry-dev]

Configuration

• Sorcery Version: 0.16.1
• Ruby Version: 2.7.2
• Framework: rails-6.0.4.1
• Platform: macOS 11.6

Expected Behavior

@user.valid_password?(correct_password) # should be true

Actual Behavior

@user.valid_password?(correct_password) # but it false

Steps to Reproduce

change the config/initializers/sorcery.rb as below:

user.stretches = 10
user.encryption_algorithm = :sha512

In rails console, create a user with password, for example 'secret'

Then exit the console;

Start rails console again, user.valid_password?('secret') will return false!

Problem analysis

valid_password?(password) in lib/sorcey/model.rb doesn't set stretches to specified value. The set_encryption_attributes class method will set stretches. authenticate and encrypt call the set_encryption_attributes method, but valid_password? doesn't.

Temporary solution

I temporarily solved this bug by calling method set_encryption_attributes right after the authenticates_with_sorcery! call in User model.

class User < ApplicationRecord
  authenticates_with_sorcery!
  set_encryption_attributes # <- here
end

I ran into this bug when migrating from devise, so it's probably not just my problem.

[bitberry-dev]

Same bug in sorcery's old repo

NoamB/sorcery#769

[joshbuker]

@bitberry-dev this should be as simple as calling that method from within validate_password?, if you want to open a PR. Otherwise I'll tackle this when I have a moment.

[joshbuker]

@bitberry-dev Fix should be merged into master. Can you give it a try, and if it works I'll go ahead and release v0.16.2?

[bitberry-dev]

@athix yep, I will check soon. Thank you

[bitberry-dev]

@athix just checked, everything works, thank you

[joshbuker]

@bitberry-dev v0.16.2 has been released with this fix included.