0
0
RailsHow-ToBeginner · 4 min read

How to Use has_secure_password in Ruby on Rails for Secure Passwords

In Ruby on Rails, use has_secure_password in your model to add password hashing and authentication features automatically. It requires a password_digest column in your database and provides virtual attributes password and password_confirmation for secure password handling.
📐

Syntax

The has_secure_password method is added inside a Rails model to enable secure password handling. It expects a password_digest column in the database. This method adds virtual attributes password and password_confirmation for setting and confirming passwords, and it automatically hashes the password using bcrypt.

ruby
class User < ApplicationRecord
  has_secure_password
end
💻

Example

This example shows how to create a User model with has_secure_password, migrate the database to add the password_digest column, and create a user with a password. It demonstrates password hashing and authentication.

ruby
# Migration to add password_digest column
class AddPasswordDigestToUsers < ActiveRecord::Migration[7.0]
  def change
    add_column :users, :password_digest, :string
  end
end

# User model
class User < ApplicationRecord
  has_secure_password
end

# Usage in Rails console or controller
user = User.new(email: 'test@example.com', password: 'secret123', password_confirmation: 'secret123')
user.save

# Authenticate user
user.authenticate('secret123') # returns user object
user.authenticate('wrongpass') # returns false
Output
=> true (when user.save succeeds) => #<User id: 1, email: "test@example.com", password_digest: "$2a$12$..."> (when authenticate succeeds) => false (when authenticate fails)
⚠️

Common Pitfalls

  • Not adding the password_digest column in the database causes has_secure_password to fail.
  • Forgetting to include password_confirmation when validating password confirmation.
  • Trying to access password directly after saving; it is a virtual attribute and not stored.
  • Not installing the bcrypt gem, which is required for hashing.
ruby
# Wrong: Missing password_digest column
class User < ApplicationRecord
  has_secure_password
end

# This will raise an error when saving because password_digest is missing

# Right: Add migration
class AddPasswordDigestToUsers < ActiveRecord::Migration[7.0]
  def change
    add_column :users, :password_digest, :string
  end
end
📊

Quick Reference

FeatureDescription
has_secure_passwordAdds password hashing and authentication to a model
password_digestDatabase column to store hashed password
passwordVirtual attribute to set the password
password_confirmationVirtual attribute to confirm the password
authenticate(password)Method to verify a password, returns user or false
bcrypt gemRequired gem for hashing passwords

Key Takeaways

Add has_secure_password in your model and ensure a password_digest column exists.
Use password and password_confirmation virtual attributes to set and confirm passwords.
Install the bcrypt gem to enable password hashing.
Use authenticate method to verify passwords securely.
Never store plain text passwords; has_secure_password handles hashing automatically.

Related by keyword

How to Check Rails Version in Ruby on RailsGetting StartedHow to Create a Rails Project in Ruby on Rails QuicklyGetting StartedHow to Run Rails Server in Ruby on Rails: Simple StepsGetting StartedWhat is Rails CLI in Ruby on Rails: Explained SimplyGetting StartedWhat Is Rails Used For in Ruby on Rails: Explained SimplyGetting Started

Up next

How to Use Radio Button in Form Rails in Ruby on RailsHow to Use Select in Form Rails in Ruby on RailsHow to Create API in Rails: Simple Guide with ExampleHow to Handle API Errors in Rails: Best Practices and Examples

More in Authentication

Devise vs has_secure_password in Ruby on Rails: Key Differences and UsageCreate Login from Scratch in Ruby on Rails: Step-by-Step GuideHow to Customize Devise Views in Ruby on RailsHow to Implement Authentication in Rails: Simple Guide