users: refactor login and authentication logic.

* Make authentication methods into User instance methods instead of class methods. * Fix API key authentication to use a secure string comparison. Fixes a hypothetical (unlikely to be exploitable) timing attack. * Move login logic from SessionCreator to SessionLoader.
2020-03-25 03:41:27 -05:00
parent 64af957031
commit b2cf765d6d
14 changed files with 68 additions and 100 deletions
--- a/app/controllers/maintenance/user/api_keys_controller.rb
+++ b/app/controllers/maintenance/user/api_keys_controller.rb
@@ -27,7 +27,7 @@ module Maintenance
      end

      def authenticate!
-        if ::User.authenticate(CurrentUser.user.name, params[:user][:password]) == CurrentUser.user
+        if CurrentUser.user.authenticate_password(params[:user][:password])
          @api_key = CurrentUser.user.api_key || ApiKey.generate!(CurrentUser.user)
          @password = params[:user][:password]
        else