Rails authentication error using bcrypt

Question

I have a list of users I want to show on rails app API. I am using bcrypt to hash the password. I have created and checked that I have a list of several users on rails console:

2.2.2 :010 > User.all
  User Load (8.9ms)  SELECT "users".* FROM "users"
 => #<ActiveRecord::Relation [#<User id: 2, created_at: "2016-07-19 06:23:35", updated_at: "2016-07-19 06:23:35", username: "iggy1", encrypted_password: "", reset_password_token: nil, reset_password_sent_at: nil, remember_created_at: nil, sign_in_count: 0, current_sign_in_at: nil, last_sign_in_at: nil, current_sign_in_ip: nil, last_sign_in_ip: nil, password_digest: "$2a$10$We2V5sFx3XJNHP9iHTx.5udLA9hEbJVDOcA01nemj0R...">,

I am testing this on localhost. The goal is for me to go to http://localhost:3000/api/users and have a list of all users in json format.

When I go to the site, I was prompted username and password. I entered one of the User's username and password : "iggy1", "helloworld". I see this error message:

SQLite3::SQLException: no such column: users.password: SELECT "users".* FROM "users" WHERE "users"."username" = ? AND "users"."password" = 'helloworld'

My schema looks like:

create_table "users", force: :cascade do |t|
    t.datetime "created_at",                          null: false
    t.datetime "updated_at",                          null: false
    t.string   "username"
    t.string   "encrypted_password",     default: "", null: false
    t.string   "reset_password_token"
    t.datetime "reset_password_sent_at"
    t.datetime "remember_created_at"
    t.integer  "sign_in_count",          default: 0,  null: false
    t.datetime "current_sign_in_at"
    t.datetime "last_sign_in_at"
    t.string   "current_sign_in_ip"
    t.string   "last_sign_in_ip"
    t.string   "password_digest"
  end

I tried playing around with it a little bit. I followed the code given on bcrypt website .

Here are my codes:

#controller/api/users_controller.rb

class UsersController < ApplicationController
  def create
    @user = User.new(params[:user])
    @user.password = params[:password]
    @user.save!
  end
end


#controllers/users_controller.rb

class UsersController < ApplicationController
  def create
    @user = User.new(params[:user])
    @user.password = params[:password]
    @user.save!
  end
end


#models/user.rb

require 'bcrypt'

class User < ActiveRecord::Base
  #include 'bcrypt'
  has_many :lists
  has_many :items, through: :lists
  has_secure_password

  def password
    @password ||= Password.new(password_hash)
  end

  def password=(new_password)
    @password = Password.create(new_password)
    self.password_hash = @password
  end

end


#controllers/application_controller.rb

class ApiController < ApplicationController
  skip_before_action :verify_authenticity_token
  private

def authenticated?
    authenticate_or_request_with_http_basic {|username, password| User.where( username: username, password: password).present? }
  end
end

#config routes

Rails.application.routes.draw do
  namespace :api, defaults: { format: :json} do #supports JSON requests
    resources :users
  end
end

Now when I have include 'bcrypt' line un-commented, I see a different error when I go to http://localhost:3000/api/users

wrong argument type String (expected Module)

I have several hypothesis on why this happens.

First, I think it is because I use bcrypt, and it has password_digest. I don't specifically have password on my schema (on application controller it says username and password, explicitly). I think rails might have tried to look for 'password' but couldn't find it. I don't know bcrypt enough to say this is the case, though.

Second, on bcrypt website , I didn't implement the following code because I was not sure where to put it. Could this be the case bcrypt not behaving as I wanted?

  def login
    @user = User.find_by_email(params[:email])
    if @user.password == params[:password]
      give_token
    else
      redirect_to home_url
    end
  end

I was not sure what is missing.

Answer 1

There are two fields available for password in your DB Schema

If you are using Devise for Authentication then encrypted_password field is used for storing password.