add_hash sets the password to nil

Question

add_hash sets the password to nil

josevalim opened this issue 4 years ago · comments

I have noticed that add_hash sets the password to nil. However, the trouble with this is, if validation fails later on, for example because of a uniqueness constraint, then the password will be removed from the form when re-rendered and the user will have to input it again.

Should I just skip add_hash and hash it manually? Or Is there a security concern in not clearing the field?

Thank you!

Norbert Melzer · Answer 1 · Fri Feb 21 2020 18:52:57 GMT+0800 (China Standard Time)

then the password will be removed from the form when re-rendered and the user will have to input it again.

As a user, I expect things to be like this…

José Valim · Answer 2 · Fri Feb 21 2020 19:03:02 GMT+0800 (China Standard Time)

As a user, I expect things to be like this…

To be clear, we are talking about sign up, which is when this function is used, and not login.

Gmail, Amazon, Apple, none of them are clearing up the password on sign up submission in case of errors. Which makes sense, forcing the user to re-enter it is not very UX friendly. I will be glad to see counter examples though.

Norbert Melzer · Answer 3 · Sat Feb 22 2020 00:23:47 GMT+0800 (China Standard Time)

Okay, then I misunderstood. I thought indeed we were talking about login.

David Whitlock · Answer 4 · Wed Feb 26 2020 18:21:24 GMT+0800 (China Standard Time)

@josevalim thanks for raising the issue.

The rationale for setting the password to nil was that it would not be needed (or so I thought), and I thought that, as it contains sensitive information, it would be better to clear it within this function.

Having said that, I am open to the idea of updating add_hash to leave the password as it is (not set it to nil). I can do this in a future minor (or major) version upgrade.

David Whitlock · Answer 5 · Thu Feb 27 2020 08:01:44 GMT+0800 (China Standard Time)

I will update the add_hash function at the weekend.

David Whitlock · Answer 6 · Sun Mar 01 2020 12:26:04 GMT+0800 (China Standard Time)

Updated the add_hash function to not set the password to nil.

The new versions of the password hashing libraries are as follows:

comeonin 5.3.0
argon2_elixir 2.3.0
bcrypt_elixir 2.2.0
pbkdf2_elixir 1.2.0

José Valim · Answer 7 · Sun Mar 01 2020 17:28:35 GMT+0800 (China Standard Time)

Thank you! 💚 💙 💜 💛 ❤️

José Valim · Answer 8 · Fri Apr 10 2020 01:51:49 GMT+0800 (China Standard Time)

Hi @riverrun, you may be interested in knowing that in the mix phx.gen.auth PR a lot of people defended deleting the password after hashing. You may want to revert this. Sorry for misleading you in case you want to rollback.

David Whitlock · Answer 9 · Fri Apr 10 2020 10:10:47 GMT+0800 (China Standard Time)

@josevalim thanks for letting me know. I will follow the discussion on the mix phx.gen.auth PR and make a decision later. I am also considering deprecating and removing this function and the check_pass function soon, as they seem to cause some confusion, and they are probably less useful than I thought they would be.

Alex Sinelnikov · Answer 10 · Tue Sep 22 2020 23:42:43 GMT+0800 (China Standard Time)

I might be late to the party, but default behaviour is to clean password if sign up fails(validation, etc)