Devise invalid email or password with valid information

Question

Here is the setup:

~/.rvm/gems/ruby-2.1.2/gems/devise-3.2.4
~/.rvm/gems/ruby-2.1.2/gems/rails-4.1.1
~/.rvm/gems/ruby-2.1.2/gems/mongoid-f9e6fdb1a67c

I'm facing an awful error with Devise which never accepts signing a user in except after confirmation.

I use default devise views for sign in / sign up. I overrode two controllers: confirmation, to allow setting up a password from confirmable email as explained in Devise's FAQ and it works like a charm.

I also overrode registration controller to configure permitted parameters for strong parameters as explained in Devise FAQ and this also works like a charm.

Here are my routes:

  as :user do
    patch '/users/confirmation' => 'confirmations#update', :via => :patch, :as => :update_user_confirmation
  end
  devise_for :users, controllers: { :confirmations => 'confirmations', :registrations => 'registrations' }

Here is my User resource:

class User
  include Mongoid::Document
  devise :database_authenticatable, :registerable,
         :recoverable, :trackable, :validatable,
         :confirmable, :lockable, :timeoutable

  #required fields
end

So, when creating a user, confirmation mail is sent, confirmation page shows up, user can set his password (which is indeed written in database (checked from console)) and is then signed in and redirected properly.

Now, if I log the user out and try to log in, I always face the error Invalid email or password and get redirected back to sign_in page.

I tried tracking where the problem was and all I could find was that lines beyond self.password = auth_values[:password] of authenticatable#with_authentication_hash strategy were never hit (even though auth_values[:password] is carrying the right password).

I have no idea what can go wrong with that line. Any clue is more than welcome.

========================= EDITED =========================

Here is the registraction controller:

class RegistrationsController < Devise::RegistrationsController

  #https://github.com/plataformatec/devise/tree/v3.0.0.rc#strong-parameters
  before_filter :configure_permitted_parameters

  layout 'public'

  private

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up){ |params| params.permit(:first_name, :email) }
  end

end

Answer 1

why did you override registration controller? you can configure permitted parameter in application controller itself(as the explained in the doc which you have pointed at). I have done it and it works just fine. i would suggest that you should remove route to controller registration and use application controller to permit extra params.

Answer 2

OK, I found the answer, someone on my team brutally commited a change to the SessionsController#new.html.erb view.

Instead of

<%= f.email_field :email, autofocus: true %></div>

code was

<%= f.email_field :email, autofocus: true, :name => 'email' %></div>

which caused the email field to be dropped out of the user hash. As it seems that nobody requires(:email), Devise was complaining in fact because email was missing.

Thank you BallsOfSteel for your input, you put me on the track dude!