Move valid_password? up to database authenticatable.

lib/devise/models/database_authenticatable.rb

@@ -40,7 +40,7 @@ module Devise
       # Verifies whether an password (ie from sign in) is the user password.
       def valid_password?(password)
         return false if encrypted_password.blank?
-        Devise::Encryptors::BCrypt.compare(self.encrypted_password, password, self.class.stretches, nil, self.class.pepper)
+        encryptor_class.compare(encrypted_password, password, self.class.stretches, authenticatable_salt, self.class.pepper)
       end
 
       # Set password and password confirmation to nil
@@ -98,14 +98,18 @@ module Devise
 
       # A reliable way to expose the salt regardless of the implementation.
       def authenticatable_salt
-        self.encrypted_password[0,29] if self.encrypted_password
+        encrypted_password[0,29] if encrypted_password
       end
 
     protected
 
       # Digests the password using bcrypt.
       def password_digest(password)
-        Devise::Encryptors::BCrypt.digest(password, self.class.stretches, ::BCrypt::Engine.generate_salt, self.class.pepper)
+        encryptor_class.digest(password, self.class.stretches, ::BCrypt::Engine.generate_salt, self.class.pepper)
+      end
+
+      def encryptor_class
+        Devise::Encryptors::BCrypt
       end
 
       module ClassMethods

lib/devise/models/encryptable.rb

@@ -2,7 +2,8 @@ require 'devise/strategies/database_authenticatable'
 
 module Devise
   module Models
-    # Encryptable Module adds support to several encryptors.
+    # Encryptable module adds support to several encryptors wrapping
+    # them in a salt and pepper mechanism to increase security.
     #
     # == Options
     #
@@ -28,30 +29,33 @@ module Devise
         [:password_salt]
       end
 
-      # Generates password salt.
+      # Generates password salt when setting the password.
       def password=(new_password)
         self.password_salt = self.class.password_salt if new_password.present?
         super
       end
 
+      # Overrides authenticatable salt to use the new password_salt
+      # column. authenticatable_salt is used by `valid_password?`
+      # and by other modules whenever there is a need for a random
+      # token based on the user password.
       def authenticatable_salt
         self.password_salt
       end
 
-      # Verifies whether an incoming_password (ie from sign in) is the user password.
-      def valid_password?(incoming_password)
-        self.class.encryptor_class.compare(self.encrypted_password,incoming_password, self.class.stretches, self.password_salt, self.class.pepper)
-      end
-
     protected
 
       # Digests the password using the configured encryptor.
       def password_digest(password)
-        if self.password_salt.present?
-          self.class.encryptor_class.digest(password, self.class.stretches, self.password_salt, self.class.pepper)
+        if password_salt.present?
+          encryptor_class.digest(password, self.class.stretches, authenticatable_salt, self.class.pepper)
         end
       end
 
+      def encryptor_class
+        self.class.encryptor_class
+      end
+
       module ClassMethods
         Devise::Models.config(self, :encryptor)
 

lib/devise/models/rememberable.rb

@@ -75,7 +75,7 @@ module Devise
       def rememberable_value
         if respond_to?(:remember_token)
           remember_token
-        elsif salt = authenticatable_salt
+        elsif respond_to?(:authenticatable_salt) && (salt = authenticatable_salt)
           salt
         else
           raise "authenticable_salt returned nil for the #{self.class.name} model. " \