Posted 9 months ago. Visible to the public.

Take care of existing users when upgrading Clearance

When upgrading Clearance, pay attention whether the password hashing strategy might have changed. Old clearance versions (< 1.0) used SHA1-encrypted passwords by default. Current versions default to BCrypt.

If you simply upgrade without taking this into account, users will get a BCrypt::Errors::InvalidHash when trying to sign in. Your tests will not notice this, since they create new users for each scenario.

To fix it, you'll either have to force all users to reset their passwords, or you can allow old users to keep signing in with their legacy credentials. This works by

  • adding the gem clearance-deprecated_password_strategies to your Gemfile

  • updating config/initializers/clearance.rb:

    config.password_strategy = Clearance::PasswordStrategies::BCryptMigrationFromSHA1

Does your version of Ruby on Rails still receive security updates?
Rails LTS provides security patches for old versions of Ruby on Rails (3.2 and 2.3).

Owner of this card:

Tobias Kraze
Last edit:
9 months ago
by Henning Koch
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by Tobias Kraze to makandra dev
This website uses cookies to improve usability and analyze traffic.
Accept or learn more