Don't hash invalid passwords twice

Author: moritzhoeppner

app/controllers/devise/sessions_controller.rb

@@ -34,7 +34,7 @@ def destroy
   protected
 
   def sign_in_params
-    devise_parameter_sanitizer.sanitize(:sign_in)
+    devise_parameter_sanitizer.sanitize(:sign_in).except('password')
   end
 
   def serialize_options(resource)

lib/devise/parameter_sanitizer.rb

@@ -36,7 +36,7 @@ module Devise
   #    end
   class ParameterSanitizer
     DEFAULT_PERMITTED_ATTRIBUTES = {
-      sign_in: [:password, :remember_me],
+      sign_in: [:remember_me],
       sign_up: [:password, :password_confirmation],
       account_update: [:password, :password_confirmation, :current_password]
     }

test/integration/database_authenticatable_test.rb

@@ -74,6 +74,29 @@ class DatabaseAuthenticationTest < Devise::IntegrationTest
     assert_not warden.authenticated?(:admin)
   end
 
+  test 'sign in with invalid credentials should not invoke Devise::Encryptor.digest' do
+    module ::Devise::Encryptor
+      class << self
+        alias original_digest digest
+
+        def digest(klass, password)
+          raise 'Devise::Encryptor.digest should not be called here.'
+        end
+      end
+    end
+  
+    visit_with_option nil, new_user_session_path
+    fill_in 'email', with: '[email protected]'
+    fill_in 'password', with: 'abcdef'
+    click_button 'Log In'
+
+    module ::Devise::Encryptor
+      class << self
+        alias digest original_digest
+      end
+    end
+  end
+
   test 'when in paranoid mode and without a valid e-mail' do
     swap Devise, paranoid: true do
       store_translations :en, devise: { failure: { not_found_in_database: 'Not found in database' } } do