From 5ab98879230231fee31e650d06cce3a34fc9aaa2 Mon Sep 17 00:00:00 2001 From: albert Date: Tue, 5 Mar 2013 16:49:09 -0500 Subject: [PATCH] only store partial hash in cookies for validation --- app/logical/session_creator.rb | 2 +- app/logical/session_loader.rb | 2 +- app/models/user.rb | 6 +++++- test/unit/user_test.rb | 6 +++--- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/app/logical/session_creator.rb b/app/logical/session_creator.rb index 3997e8fb1..d346ad31f 100644 --- a/app/logical/session_creator.rb +++ b/app/logical/session_creator.rb @@ -16,7 +16,7 @@ class SessionCreator if remember.present? cookies.permanent.signed[:user_name] = user.name - cookies.permanent.signed[:password_hash] = user.bcrypt_password_hash + cookies.permanent[:password_hash] = user.bcrypt_cookie_password_hash end session[:user_id] = user.id diff --git a/app/logical/session_loader.rb b/app/logical/session_loader.rb index 46edc8177..ffc92f745 100644 --- a/app/logical/session_loader.rb +++ b/app/logical/session_loader.rb @@ -41,7 +41,7 @@ private end def cookie_password_hash_valid? - cookies[:password_hash] && User.authenticate_cookie_hash(cookies.signed[:user_name], cookies.signed[:password_hash]) + cookies[:password_hash] && User.authenticate_cookie_hash(cookies.signed[:user_name], cookies[:password_hash]) end def update_last_logged_in_at diff --git a/app/models/user.rb b/app/models/user.rb index fd42862c1..d91c4ca12 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -124,6 +124,10 @@ class User < ActiveRecord::Base def bcrypt_password BCrypt::Password.new(bcrypt_password_hash) end + + def bcrypt_cookie_password_hash + bcrypt_password_hash.slice(20, 100) + end def encrypt_password_on_create self.password_hash = "" @@ -183,7 +187,7 @@ class User < ActiveRecord::Base def authenticate_cookie_hash(name, hash) user = find_by_name(name) - if user && user.bcrypt_password_hash == hash + if user && user.bcrypt_cookie_password_hash == hash user else nil diff --git a/test/unit/user_test.rb b/test/unit/user_test.rb index 3b73e5b90..2d88c6d65 100644 --- a/test/unit/user_test.rb +++ b/test/unit/user_test.rb @@ -117,8 +117,8 @@ class UserTest < ActiveSupport::TestCase should "authenticate" do assert(User.authenticate(@user.name, "password"), "Authentication should have succeeded") assert(!User.authenticate(@user.name, "password2"), "Authentication should not have succeeded") - assert(User.authenticate_hash(@user.name, @user.password_hash), "Authentication should have succeeded") - assert(!User.authenticate_hash(@user.name, "xxxx"), "Authentication should not have succeeded") + assert(User.authenticate_hash(@user.name, User.sha1("password")), "Authentication should have succeeded") + assert(!User.authenticate_hash(@user.name, User.sha1("xxx")), "Authentication should not have succeeded") end should "normalize its level" do @@ -206,7 +206,7 @@ class UserTest < ActiveSupport::TestCase @user.password_confirmation = "zugzug5" @user.save @user.reload - assert(User.authenticate_cookie_hash(@user.name, @user.bcrypt_password_hash)) + assert(User.authenticate_cookie_hash(@user.name, @user.bcrypt_cookie_password_hash)) end should "match the confirmation" do