Using typical Rails 4.1 app with
has_secure_password and the
User model has a
password_digest column in the DB. When I create a new user, I can still access the plaintext password in the console:
# in rails console > u = User.new(email: "[email protected]", password: "password") > u.save > u.password => "password" > u.password_digest => "xjdk..."
However, when I close the console session and start a new one, I can no longer retrieve the plaintext password:
# close above console session and open a new one > u = User.find_by(email: "[email protected]") > u.password => nil
I'm assuming that the plaintext password is only retrievable in the first situation because it's being stored in memory and when I call
u.password => "password" it is retrieving the value from memory, NOT the database.
I had always thought
has_secure_password stored the (salt + password) as a hash and I thought that meant it was theoretically impossible (if I can use that terminology) to reverse the
password_digest and get the original password.
I'm just making sure my assumption that the password is stored as a real hash (ie, can't retrieve original password) is valid. I've read the Rails has_secure_password API but it didn't clarify my question.