jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

only store partial hash in cookies for validation

Browse Source
This commit is contained in:
albert
2013-03-05 16:49:09 -05:00
parent f52181db94
commit 5ab9887923
4 changed files with 10 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/logical/session_creator.rb
View File

@@ -16,7 +16,7 @@ class SessionCreator
if remember.present? if remember.present?
cookies.permanent.signed[:user_name] = user.name cookies.permanent.signed[:user_name] = user.name
cookies.permanent.signed[:password_hash] = user.bcrypt_password_hash cookies.permanent[:password_hash] = user.bcrypt_cookie_password_hash
end end
session[:user_id] = user.id session[:user_id] = user.id

2
app/logical/session_loader.rb
View File

@@ -41,7 +41,7 @@ private
end end
def cookie_password_hash_valid? def cookie_password_hash_valid?
cookies[:password_hash] && User.authenticate_cookie_hash(cookies.signed[:user_name], cookies.signed[:password_hash]) cookies[:password_hash] && User.authenticate_cookie_hash(cookies.signed[:user_name], cookies[:password_hash])
end end
def update_last_logged_in_at def update_last_logged_in_at

6
app/models/user.rb
View File

@@ -125,6 +125,10 @@ class User < ActiveRecord::Base
BCrypt::Password.new(bcrypt_password_hash) BCrypt::Password.new(bcrypt_password_hash)
end end
def bcrypt_cookie_password_hash
bcrypt_password_hash.slice(20, 100)
end
def encrypt_password_on_create def encrypt_password_on_create
self.password_hash = "" self.password_hash = ""
self.bcrypt_password_hash = User.bcrypt(password) self.bcrypt_password_hash = User.bcrypt(password)
@@ -183,7 +187,7 @@ class User < ActiveRecord::Base
def authenticate_cookie_hash(name, hash) def authenticate_cookie_hash(name, hash)
user = find_by_name(name) user = find_by_name(name)
if user && user.bcrypt_password_hash == hash if user && user.bcrypt_cookie_password_hash == hash
user user
else else
nil nil

6
test/unit/user_test.rb
View File

@@ -117,8 +117,8 @@ class UserTest < ActiveSupport::TestCase
should "authenticate" do should "authenticate" do
assert(User.authenticate(@user.name, "password"), "Authentication should have succeeded") assert(User.authenticate(@user.name, "password"), "Authentication should have succeeded")
assert(!User.authenticate(@user.name, "password2"), "Authentication should not have succeeded") assert(!User.authenticate(@user.name, "password2"), "Authentication should not have succeeded")
assert(User.authenticate_hash(@user.name, @user.password_hash), "Authentication should have succeeded") assert(User.authenticate_hash(@user.name, User.sha1("password")), "Authentication should have succeeded")
assert(!User.authenticate_hash(@user.name, "xxxx"), "Authentication should not have succeeded") assert(!User.authenticate_hash(@user.name, User.sha1("xxx")), "Authentication should not have succeeded")
end end
should "normalize its level" do should "normalize its level" do
@@ -206,7 +206,7 @@ class UserTest < ActiveSupport::TestCase
@user.password_confirmation = "zugzug5" @user.password_confirmation = "zugzug5"
@user.save @user.save
@user.reload @user.reload
assert(User.authenticate_cookie_hash(@user.name, @user.bcrypt_password_hash)) assert(User.authenticate_cookie_hash(@user.name, @user.bcrypt_cookie_password_hash))
end end
should "match the confirmation" do should "match the confirmation" do