I would change:
user = User.new(params[:user])
with:
user = User.new(user_params)
From docs:
# This will raise an ActiveModel::ForbiddenAttributes exception because it's using mass assignment
# without an explicit permit step.
def create
Person.create(params[:person])
end