ruby-on-rails mongodb authentication mongoid sorcery

Mongoid + Sorcery: Visible confirm_password field in database

I'm using the Sorcery Gem to handle authentication in my Rails App (Which is using MongoDB via Mongoid as DB) and my user model looks like this:

class User
  include Mongoid::Document
    attr_accessible :username, :email, :password, :password_confirmation
    authenticates_with_sorcery!

    field :username, :type => String
    field :email, :type => String
    field :username, :type => String
    
    field :password, :type => String
    field :password_confirmation, :type => String

  validates_confirmation_of :password
  validates_presence_of :password, :on => :create
  validates_presence_of :username
  validates_uniqueness_of :username
  validates_presence_of :email
  validates_uniqueness_of :email

end

Creating a new user via the "New user view" (this one):

<%= form_for @user do |f| %>
  <% if @user.errors.any? %>
    <div class="error_messages">
      <h2>Form is invalid</h2>
      <ul>
        <% for message in @user.errors.full_messages %>
          <li><%= message %></li>
        <% end %>
      </ul>
    </div>
  <% end %>
  <div class="field">
    <%= f.label :username %>
    <%= f.text_field :username %>
  </div>
  <div class="field">
    <%= f.label :email %>
    <%= f.text_field :email %>
  </div>
  <div class="field">
    <%= f.label :password %>
    <%= f.password_field :password %>
  </div>
  <div class="field">
    <%= f.label :password_confirmation %>
    <%= f.password_field :password_confirmation %>
  </div>
  <div class="actions"><%= f.submit %></div>
<% end %>

Results in a record like this one in the database:

1.9.3-p286 :002 > u = User.first
 => #<User _id: 507e6dd961ef51512d000004, _type: nil, username: "Jmlevick", email: "Jmlevick@Jmlevick.com", crypted_password: "$2a$10$yoRzXIu0a2uRRuu9z5MbD.TQQ2upawMC0DGuC/njlQjqzHwdhVWTm", salt: "xwCVQuCNWb9o3fKgvffa", remember_me_token: nil, remember_me_token_expires_at: nil, reset_password_token: nil, reset_password_token_expires_at: nil, reset_password_email_sent_at: nil, password: nil, password_confirmation: "MySecretPassword">

So the user it's saved and I can access with the credentials, but as you can see there are two weird things up there in the record: 1) password is set to "nil" (But the database in fact saves the actual password and crypts it, so I'm fine with it) and the :password_confirmation Field reveals the password (which has to be crypted for security)!

Why is this happening? How can I solve it? I need a password confirmation field!

Solution

I think you simply need to not include the password_confirmation field in your User class- Mongoid should look for a password_confirmation field because you have the validate_confirmation_of :password set, so I don't think you need to set it explicitly.