Reputation: 23576
Rails password_confirmation being filtered with Devise
I've read a couple tutorials over the years that say you have to update config.filter_parameters to something like config.filter_parameters += [:password, :password_confirmation] in application.rb in order to not have passwords stored to your log file. I've also seen a bunch of tutorials that just list off config.filter_parameters += [:password]. I've always used Devise, and I noticed that so long as I had config.filter_parameters += [:password] (which is the default in rails 3.2.13), my password and password confirmation are both filtered.
Why is the password_confirmation filtered? Is this a rails thing? Devise?
Obviously, this is the behavior I want. Just curious why it works this way.
Upvotes: 2
Views: 1539
Answers (1)
Reputation: 7530
It's a rails thing:
Essentially the keys are just passed through a Regular Expression like /password/ and if it matches then the value is converted to "[FILTERED]"]
so fields matching password_confirmation or even do_not_filter_this_password would both end up filtered by default.
Upvotes: 3
Related Questions
- Devise login succeed when not confirmed
- Rails 6 - password showing up in logs even though I added it to the "filter_parameters"
- Password not filtered in log
- rails devise validation password_confirmation not working
- Devise and password_confirmation validation
- password validation breaks devise confirmation
- Devise Not Validating Password/Password Confirmation
- Devise skip_confirmation! method confirms user
- Ruby on Rails: password confirmation doesn't work properly
- Devise Password Confirmation