Devise: Disable password confirmation during sign-up

Question

I am using Devise for Rails. In the default registration process, Devise requires users to type the password twice for validation and authentication. How can I disable it?

Answer 1

For the sake of Rails 4 users who find this question, simply delete :password_confirmation from the permitted params, which you declare in ApplicationController.rb.

before_filter :configure_permitted_parameters, if: :devise_controller?

protected

def configure_permitted_parameters
  devise_parameter_sanitizer.for(:sign_up) do |u|
    u.permit(:username, :email, :password)
  end
  devise_parameter_sanitizer.for(:account_update) do |u|
    u.permit(:username, :email, :password)
  end
end

Answer 2

Devise's default validations (lib/devise/models/validatable.rb):

validates_confirmation_of :password, :if => :password_required?

and method:

def password_required?
  !persisted? || !password.nil? || !password_confirmation.nil?
end

We need override Devise default password validation. Put the following code at the end in order for it not to be overridden by any of Devise's own settings.

validates_confirmation_of :password, if: :revalid
def revalid
  false
end

And your model would look like this:

class User < ActiveRecord::Base      
  devise :database_authenticatable, :registerable,
     :recoverable, :rememberable, :trackable,
     :confirmable, :timeoutable, :validatable

  validates_confirmation_of :password, if: :revalid

  def revalid
    false
  end
end

Then remove the password_confirmation field from the registration form.

Answer 3

It seems if you just remove the attr_accessible requirement from the model it works just fine without it.

On a side note, I agree with this practice, in the rare case there was a typo, the user can simply use the password recovery to recover their password.

Answer 4

See wiki

def update_with_password(params={})
  params.delete(:current_password)
  self.update_without_password(params)
end

https://github.com/plataformatec/devise/wiki/How-To:-Allow-users-to-edit-their-account-without-providing-a-password

Answer 5

You just need to remove the password_confirmation field from your form.

Answer 6

To disable password confirmation you can simply remove the password_confirmation field from the registration form. This disables the need to confirm the password entirely!

1. Generate devise views if you haven't: rails g devise:views
2. Remove the password_confirmation section in app\views\devise\registrations\new.html.erb

One way to do it:

<%# Disable password confirmation so that the user doesn't have to enter a password twice %>
<% if false %>
  <div class="field">
    <%= f.label :password_confirmation %><br />
    <%= f.password_field :password_confirmation, autocomplete: "new-password" %>
  </div>
<% end %>

---

The reason why this works lies in lib/devise/models/validatable.rb in the Devise source:

module Devise
  module Models
    module Validatable


      def self.included(base)

        base.class_eval do
          #....SNIP...
          validates_confirmation_of :password, :if => :password_required?
        end
      end

      #...SNIP...

      def password_required?
        !persisted? || !password.nil? || !password_confirmation.nil?
      end
    end
  end
end

Note that the validation is only triggered if password_required? returns true, and password_required? will return false if the password_confirmation field is nil.

Because where the password_confirmation field is present in the form, it will always be included in the parameters hash , as an empty string if it is left blank, the validation is triggered. However, if you remove the input from the form, the password_confirmation in the params will be nil, and therefore the validation will not be triggered.