administrative password reset through ruby console fails with deprecated password in place

[jsjhb]

Issue Description

After resetting a password for a user in a local installation of obs using the ruby console using

RAILS_ENV="production" /usr/bin/rails.ruby2.5-5.1.4 console
user = User.where(:login => '<loginname>').first
user.password = "<password>"
user.password_confirmation = "<password>"
user.save

the user is still not able to login. By looking in the database a distinguishing feature of the account is now, that both password_digest and the triple (deprecated_password, deprecated_password_hash_type, deprecated_password_salt) are set for the user. As the deprecated password is still set, login with the newly set password fails. Setting deprecated_password* to "NULL" lets the user login with the new password.

It seems to me, that a successful login with deprecated_password migrates the entries to use password_digest and sets the deprecated_password fields to NULL.

Documentation about administrative password change is lacking, where such behavior could have been noted down.

Expected Result

Resetting password with the crude ruby console should work, i.e. a present password_digest should have precedence over the deprecated password.

Ideally there would be a password change function in the "Configuration" - "Manage Users" page, without the need for the ruby console or direct manipulation of the database, like proposed in #699 .

How to Reproduce

1. Have a user created in obs versions prior to at least 2.10 (with local accounts) with deprecated_password* set.
2. set new password using ruby console as described above
3. try logging in with new password

Further Information

Seen on: https://pmbs.links2linux.de 2.10-lp151.10.1 on openSUSE Leap 15.1

[vpereira]

hi @jsjhb did the user.save returned true? If not, could you please paste here the results of user.errors ?

[jsjhb]

user.save gave a true, and errors, please have a look (username, email, and hashes modified):

`buildhost:/srv/www/obs/api # RAILS_ENV="production" /usr/bin/rails.ruby2.5-5.1.4 console DEPRECATED: Please update your options.yml by running 'rake migrate_options_yml' Loading production environment (Rails 5.2.3) irb(main):001:0> user = User.where(:login => 'olddude').first => #<User id: 7, created_at: "2017-06-22 19:51:45", updated_at: "2018-04-04 12:49:13", last_logged_in_at: nil, login_failure_count: 0, login: "olddude", email: "dude@elduder.io", realname: "", password_digest: nil, deprecated_password: "eed3c8afc6e203f8bb296c39518ff1d9", deprecated_password_hash_type: "md5", deprecated_password_salt: "ghD2wykZAD", adminnote: nil, state: "deleted", owner_id: nil, ignore_auth_services: false, in_beta: false>

irb(main):002:0> user.password = "B1gBu115iht" => "B1gBu115iht"

irb(main):003:0> user.save => true

irb(main):005:0> user.errors => #<ActiveModel::Errors:0x0000560ab719e340 @base=#<User id: 7, created_at: "2017-06-22 19:51:45", updated_at: "2019-07-25 17:00:09", last_logged_in_at: nil, login_failure_count: 0, login: "olddude", email: "dude@elduder.io", realname: "", password_digest: "$2a$12$z/Roa8r.NS165K8vdnsGmOjvHLdmfhg2eMNvce.G2jB...", deprecated_password: "eed3c8afc6e203f8bb296c39518ff1d9", deprecated_password_hash_type: "md5", deprecated_password_salt: "ghD2wykZAD", adminnote: nil, state: "deleted", owner_id: nil, ignore_auth_services: false, in_beta: false>, @messages={}, @details={}>

irb(main):006:0> exit **Airbrake: closed

buildhost:/srv/www/obs/api # `

[hennevogel]

You also need to give theuser.password_confirmation now as we started to use has_secure_password, see the docu.

[jsjhb]

I did that initially, with the same result.

Also, can you please give a link to the docu?

[coolo]

The password_confirmation is not the problem. I can confirm the issue - I actually have it every time I load a production dump into my development env.

You can set passwords all day long, as long as you aren't wiping also the deprecated_password field, this one will be used.