Read more

Take care of existing users when upgrading Clearance

Tobias Kraze
August 26, 2019Software engineer at makandra GmbH

When upgrading Clearance, pay attention whether the password hashing strategy might have changed. Old clearance versions (< 1.0) used SHA1-encrypted passwords by default. Current versions default to BCrypt.

Illustration UI/UX Design

UI/UX Design by makandra brand

We make sure that your target audience has the best possible experience with your digital product. You get:

  • Design tailored to your audience
  • Proven processes customized to your needs
  • An expert team of experienced designers
Read more Show archive.org snapshot

If you simply upgrade without taking this into account, users will get a BCrypt::Errors::InvalidHash when trying to sign in. Your tests will not notice this, since they create new users for each scenario.

To fix it, you'll either have to force all users to reset their passwords, or you can allow old users to keep signing in with their legacy credentials. This works by

  • adding the gem clearance-deprecated_password_strategies to your Gemfile

  • updating config/initializers/clearance.rb:

    config.password_strategy = Clearance::PasswordStrategies::BCryptMigrationFromSHA1
    
Posted by Tobias Kraze to makandra dev (2019-08-26 12:06)