How can I sometimes require password and sometimes not with has_secure_password?

Question

My app lets people register using a password OR with Facebook.

Even when I remove the password validations from my User model, I get :password_digest => ["can't be blank"] on the user model.

I use has_secure_password.

How can I make password_digest NOT required?

Answer 1

You can't. has_secure_password automatically adds two validators to your model:

validates_confirmation_of :password
validates_presence_of     :password_digest

Instead, supply a dummy value for password_digest for users that don't have a password:

user.password = user.password_confirmation = ""
user.password_digest = "facebook-authorized account"

This is secure, as no password can possibly be hashed to match that digest.

Answer 2

More recent commits have added an options hash to has_secure_password which allows skipping validations for the password_digest field. You use it like this:

 has_secure_password :validations => false

This is not present in the 3.2.13 version of rails unfortunately. Refer to https://stackoverflow.com/a/16706045/1356792