Merge pull request #55232 from callmesangio/fix-gh-55225

`has_secure_password`: fix password validation.

Author: byroot

activemodel/CHANGELOG.md

@@ -1,3 +1,12 @@
+*   Fix `has_secure_password` to validate the password confirmation field even when blank.
+
+    The password confirmation field being blank suggest the confirmation field was displayed
+    and submitted.
+
+    The validation is now only skipped if the field is `nil`.
+
+    *Fabio Sangiovanni*
+
 ## Rails 8.0.2 (March 12, 2025) ##
 
 *   No changes.

activemodel/lib/active_model/secure_password.rb

@@ -155,7 +155,7 @@ def has_secure_password(attribute = :password, validations: true, reset_token: t
             end
           end
 
-          validates_confirmation_of attribute, allow_blank: true
+          validates_confirmation_of attribute, allow_nil: true
         end
 
         # Only generate tokens for records that are capable of doing so (Active Records, not vanilla Active Models)

activemodel/test/cases/secure_password_test.rb

@@ -104,6 +104,14 @@ class SecurePasswordTest < ActiveModel::TestCase
     assert_equal ["doesn't match Password"], @user.errors[:password_confirmation]
   end
 
+  test "create a new user with validation, a spaces only password, and an incorrect password confirmation" do
+    @user.password = " "
+    @user.password_confirmation = "something else"
+    assert_not @user.valid?(:create), "user should be invalid"
+    assert_equal 1, @user.errors.count
+    assert_equal ["doesn't match Password"], @user.errors[:password_confirmation]
+  end
+
   test "resetting password to nil clears the password cache" do
     @user.password = "password"
     @user.password = nil
@@ -179,6 +187,14 @@ class SecurePasswordTest < ActiveModel::TestCase
     assert_equal ["doesn't match Password"], @existing_user.errors[:password_confirmation]
   end
 
+  test "updating an existing user with validation, a spaces only password, and an incorrect password confirmation" do
+    @existing_user.password = " "
+    @existing_user.password_confirmation = "something else"
+    assert_not @existing_user.valid?(:update), "user should be invalid"
+    assert_equal 1, @existing_user.errors.count
+    assert_equal ["doesn't match Password"], @existing_user.errors[:password_confirmation]
+  end
+
   test "updating an existing user with validation and a correct password challenge" do
     @existing_user.password = "new password"
     @existing_user.password_challenge = "password"