Avoid putting ActionController::Parameters objects in the session

app/controllers/accounts_controller.rb

@@ -35,17 +35,19 @@ class AccountsController < ApplicationController
       :form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org]
     )
 
+    user_params = params.require(:user).permit(:display_name, :new_email, :pass_crypt, :pass_crypt_confirmation, :auth_provider)
+
     if params[:user][:auth_provider].blank? ||
        (params[:user][:auth_provider] == current_user.auth_provider &&
         params[:user][:auth_uid] == current_user.auth_uid)
-      update_user(current_user, params)
+      update_user(current_user, user_params)
       if current_user.errors.count.zero?
         redirect_to edit_account_path
       else
         render :edit
       end
     else
-      session[:new_user_settings] = params
+      session[:new_user_settings] = user_params.to_h
       redirect_to auth_url(params[:user][:auth_provider], params[:user][:auth_uid]), :status => :temporary_redirect
     end
   end

app/controllers/concerns/user_methods.rb

@@ -6,15 +6,15 @@ module UserMethods
   ##
   # update a user's details
   def update_user(user, params)
-    user.display_name = params[:user][:display_name]
-    user.new_email = params[:user][:new_email]
+    user.display_name = params[:display_name]
+    user.new_email = params[:new_email]
 
-    unless params[:user][:pass_crypt].empty? && params[:user][:pass_crypt_confirmation].empty?
-      user.pass_crypt = params[:user][:pass_crypt]
-      user.pass_crypt_confirmation = params[:user][:pass_crypt_confirmation]
+    unless params[:pass_crypt].empty? && params[:pass_crypt_confirmation].empty?
+      user.pass_crypt = params[:pass_crypt]
+      user.pass_crypt_confirmation = params[:pass_crypt_confirmation]
     end
 
-    if params[:user][:auth_provider].nil? || params[:user][:auth_provider].blank?
+    if params[:auth_provider].nil? || params[:auth_provider].blank?
       user.auth_provider = nil
       user.auth_uid = nil
     end