Is User.password supposed to be nil in devise?

Question

I am debugging a problem in my Rails 6 app using Devise 4.7.1. I am unable to login with email/password. (I can reset password, and login that way, or use Facebook login.)

The password appears to be getting added to the users.encrypted_password column correctly. It's encrypted, so I can't tell for sure, but the column is not empty when I look at it using the mysql client.

I noticed that when I run rails c to debug, Here's what I get:

2.5.8 :048 > User.last.password
  User Load (2.5ms)  SELECT `users`.* FROM `users` ORDER BY `users`.`id` DESC LIMIT 1
 => nil 

Is User.password supposed to be nil, or is that the expected behavior? I'm trying to understand if this is the source of my problem, or if it's a red herring.

If there's some way I can debug this in the rails console, so I can be sure the value is set correctly, that would be helpful. e.g. User.last.password == some_hash_method('password').

User.encrypted_password does return a value:

2.5.8 :049 > User.last.encrypted_password
  User Load (3.5ms)  SELECT `users`.* FROM `users` ORDER BY `users`.`id` DESC LIMIT 1
 => "$2a$11$pMGOZ/a5YG3Z/QHQ3WZBRO0HpqOGpCRuWyxb6X___SNIPPED___" 

Answer 1

You can debug this in the rails console, @user is a User Object and "password" is plain text password which user has set. It gives you boolean true if password is valid else false.

@user.valid_password?("password")

Answer 2

user.password is an attr_accessor in devise, it will always be nil when you initiate a user after querying it from the db. The password is hashed and stored in the encrypted_password field after hashing by devise.

Passwords are never stored directly on the db as this is a serious security threat. For the purposes of debugging, you can create a new devise controller and print the password when you receive it from the new session form. Do not do this in production though as this is a major security threat