only store partial hash in cookies for validation

2013-03-05 16:49:09 -05:00
parent f52181db94
commit 5ab9887923
4 changed files with 10 additions and 6 deletions
--- a/app/logical/session_creator.rb
+++ b/app/logical/session_creator.rb
@@ -16,7 +16,7 @@ class SessionCreator
      
      if remember.present?
        cookies.permanent.signed[:user_name] = user.name
-        cookies.permanent.signed[:password_hash] = user.bcrypt_password_hash
+        cookies.permanent[:password_hash] = user.bcrypt_cookie_password_hash
      end
      
      session[:user_id] = user.id
--- a/app/logical/session_loader.rb
+++ b/app/logical/session_loader.rb
@@ -41,7 +41,7 @@ private
  end
  
  def cookie_password_hash_valid?
-    cookies[:password_hash] && User.authenticate_cookie_hash(cookies.signed[:user_name], cookies.signed[:password_hash])
+    cookies[:password_hash] && User.authenticate_cookie_hash(cookies.signed[:user_name], cookies[:password_hash])
  end
  
  def update_last_logged_in_at
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -124,6 +124,10 @@ class User < ActiveRecord::Base
    def bcrypt_password
      BCrypt::Password.new(bcrypt_password_hash)
    end
+    
+    def bcrypt_cookie_password_hash
+      bcrypt_password_hash.slice(20, 100)
+    end

    def encrypt_password_on_create
      self.password_hash = ""
@@ -183,7 +187,7 @@ class User < ActiveRecord::Base

      def authenticate_cookie_hash(name, hash)
        user = find_by_name(name)
-        if user && user.bcrypt_password_hash == hash
+        if user && user.bcrypt_cookie_password_hash == hash
          user
        else
          nil
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@@ -117,8 +117,8 @@ class UserTest < ActiveSupport::TestCase
    should "authenticate" do
      assert(User.authenticate(@user.name, "password"), "Authentication should have succeeded")
      assert(!User.authenticate(@user.name, "password2"), "Authentication should not have succeeded")
-      assert(User.authenticate_hash(@user.name, @user.password_hash), "Authentication should have succeeded")
-      assert(!User.authenticate_hash(@user.name, "xxxx"), "Authentication should not have succeeded")
+      assert(User.authenticate_hash(@user.name, User.sha1("password")), "Authentication should have succeeded")
+      assert(!User.authenticate_hash(@user.name, User.sha1("xxx")), "Authentication should not have succeeded")
    end
      
    should "normalize its level" do
@@ -206,7 +206,7 @@ class UserTest < ActiveSupport::TestCase
        @user.password_confirmation = "zugzug5"
        @user.save
        @user.reload
-        assert(User.authenticate_cookie_hash(@user.name, @user.bcrypt_password_hash))
+        assert(User.authenticate_cookie_hash(@user.name, @user.bcrypt_cookie_password_hash))
      end
      
      should "match the confirmation" do