From 653d2cd4be7e3ef7bfccb2596d90fea62b90be0b Mon Sep 17 00:00:00 2001
From: Jonathan Hooper <jonathan.hooper@gsa.gov>
Date: Wed, 20 Jun 2018 11:20:55 -0500
Subject: [PATCH 1/2] Re-add authenticable salt method

**Why**: Devise depends on the authenticable salt method, namely for
serializing a user into the session:

https://github.com/plataformatec/devise/blob/master/lib/devise/models/authenticatable.rb#L233-L235

Credit to @monfresh for finding this bug.
---
 app/models/concerns/user_access_key_overrides.rb | 7 +++++++
 spec/models/user_spec.rb                         | 9 +++++++++
 2 files changed, 16 insertions(+)

diff --git a/app/models/concerns/user_access_key_overrides.rb b/app/models/concerns/user_access_key_overrides.rb
index a014ca0d50b..f3fe7941282 100644
--- a/app/models/concerns/user_access_key_overrides.rb
+++ b/app/models/concerns/user_access_key_overrides.rb
@@ -23,6 +23,13 @@ def password=(new_password)
     write_legacy_password_attributes(digest)
   end
 
+  def authenticatable_salt
+    return if encrypted_password_digest.blank?
+    Encryption::PasswordVerifier::PasswordDigest.parse_from_string(
+      encrypted_password_digest
+    ).password_salt
+  end
+
   private
 
   def write_legacy_password_attributes(digest)
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index ff4926dd9e9..05cd592d676 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -409,6 +409,15 @@
     end
   end
 
+  describe '#authenticatable_salt' do
+    it 'returns the password salt' do
+      user = create(:user)
+      salt = JSON.parse(user.encrypted_password_digest)['password_salt']
+
+      expect(user.authenticatable_salt).to eq(salt)
+    end
+  end
+
   context 'when a password is updated' do
     it 'writes encrypted_password_digest and the legacy password attributes' do
       user = create(:user)

From cde0ce9d7f893a5cd4f9cef16c6690c7ddb15c95 Mon Sep 17 00:00:00 2001
From: Jonathan Hooper <jonathan.hooper@gsa.gov>
Date: Wed, 20 Jun 2018 11:30:36 -0500
Subject: [PATCH 2/2] Add a helpful comment

---
 app/models/concerns/user_access_key_overrides.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/models/concerns/user_access_key_overrides.rb b/app/models/concerns/user_access_key_overrides.rb
index f3fe7941282..8b05383ef4b 100644
--- a/app/models/concerns/user_access_key_overrides.rb
+++ b/app/models/concerns/user_access_key_overrides.rb
@@ -23,6 +23,9 @@ def password=(new_password)
     write_legacy_password_attributes(digest)
   end
 
+  # This is a devise method, which we are overriding. This should not be removed
+  # as Devise depends on this for things like building the key to use when
+  # storing the user in the session.
   def authenticatable_salt
     return if encrypted_password_digest.blank?
     Encryption::PasswordVerifier::PasswordDigest.parse_from_string(