[SOLVED] BCrypt InvalidHash with Clearance password resets

BCrypt InvalidHash with Clearance password resets

I'm new to Rails, coming from a PHP + Python background. I'm setting up a development environment on my machine based on a production database dump.

I can't log in to my dev environment because every user sign in fails with a BCrypt InvalidHash error, no matter the user or password.

I checked the users.encrypted_password hash against my password on an online BCrypt website--it matches correctly.

I wrote a quick script to reset all the passwords to see if there's some weird configuration difference between my Fedora machine and the prod Heroku config:

User.find_each do |user|
  user.password = 'password'
  user.save
end

But that's still failing with the same InvalidHash error, stack trace below:

/home/eric/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/bcrypt-3.1.11/lib/bcrypt/password.rb:60:in `initialize': invalid hash (BCrypt::Errors::InvalidHash)
    from /home/eric/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/bcrypt-3.1.11/lib/bcrypt/password.rb:46:in `new'
    from /home/eric/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/bcrypt-3.1.11/lib/bcrypt/password.rb:46:in `create'
    from /home/eric/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/clearance-1.16.1/lib/clearance/password_strategies/bcrypt.rb:28:in `password='
    from /home/eric/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/clearance-1.16.1/lib/clearance/user.rb:111:in `password='
    from db/reset_passwords.rb:9:in `block in <top (required)>'

clearance.rb config:

Clearance.configure do |config|
  config.rotate_csrf_on_sign_in = true
  config.password_strategy = Clearance::PasswordStrategies::BCrypt
end

Model details:

> User.column_names
=> ["id", "first_name", "email", "encrypted_password", "confirmation_token", "remember_token"]

What am I doing wrong? It seems like my dev environment is missing some kind of config.

Solution

Someone suggested my OS is at fault. I tried a simple BCrypt::Password.create("password"), which failed the same way. That led me to their GitHub...

https://github.com/codahale/bcrypt-ruby/issues/170

So bcrypt-ruby broke on Fedora 28+. Version 3.1.12 was pushed to fix that. Our project was still using 3.1.11.

Lesson learned: Check the dependent dependencies!