Weird issue with devise valid_password?

Question

For the past 2 hours, I have been trying to debug a weird issue in devise which is not letting me login.

Here's the stuff I'm referring too:

password  => 'vinodsobale'  password == 'vinodsobale' => true  resource.valid_password?(password)  => false  resource.valid_password?('vinodsobale')  => true 

Attaching the screenshot as well:

Note: I have enabled debugger inside devise so the above code is devise internal code.

To me, it looks like a issue in Devise.secure_compare.

Answer 1

This issue is due to a known string-corruption bug in Ruby 2.2.0 that was fixed in 2.2.2.

As described in the bug report, the corruption occured when BCrypt called a specific string-creation API from its C extension, which Devise v3.3.0 triggered by calling ::BCrypt::Engine.hash_secret from the Devise::Models::DatabaseAuthenticatable#valid_password? method. A Devise-specific workaround for this bug was published in v3.5.0.

The solution is to either:

• Downgrade Ruby to < 2.2.0, or upgrade to >= 2.2.2;
• Upgrade Devise to >= 3.5.0.