Rails provides the has_secure_password method, which makes it gloriously easy to implement authentication in our application. But we often need an extra layer of verification before allowing users to update certain fields. For e.g. Users must provide their “old” password when updating their email/password fields. Before Rails 7.1To implement this, we must manually add and validate the current_password accessor: # app/models/user.rb class User < ActiveRecord::Base has_secure_password attr_accessor :current_password end# app/controllers/passwords_controller.rb class PasswordsController < ApplicationController def update password_challenge = password_params.delete(:current_password)
Rails 7.1 introduces a method authenticate_by, used with has_secure_password to prevent timing-based enumeration attacks.