jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

users: refactor login and authentication logic.

Browse Source 
* Make authentication methods into User instance methods instead of
  class methods.
* Fix API key authentication to use a secure string comparison. Fixes a
  hypothetical (unlikely to be exploitable) timing attack.
* Move login logic from SessionCreator to SessionLoader.
This commit is contained in:
evazion
2020-03-25 03:41:27 -05:00
parent 64af957031
commit b2cf765d6d
14 changed files with 68 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
test/unit/api_key_test.rb
View File

@@ -18,15 +18,15 @@ class ApiKeyTest < ActiveSupport::TestCase
end
should "authenticate via api key" do
assert_not_nil(User.authenticate_api_key(@user.name, @api_key.key))
assert_equal(@user, @user.authenticate_api_key(@api_key.key))
end
should "not authenticate with the wrong api key" do
assert_nil(User.authenticate_api_key(@user.name, "xxx"))
assert_equal(false, @user.authenticate_api_key("xxx"))
end
should "not authenticate with the wrong name" do
assert_nil(User.authenticate_api_key("xxx", @api_key.key))
assert_equal(false, create(:user).authenticate_api_key(@api_key.key))
end
should "have the same limits whether or not they have an api key" do

2
test/unit/user_deletion_test.rb
View File

@@ -43,7 +43,7 @@ class UserDeletionTest < ActiveSupport::TestCase
should "reset the password" do
@deletion.delete!
assert_nil(User.authenticate(@user.name, "password"))
assert_equal(false, @user.authenticate_password("password"))
end
should "remove any favorites" do

8
test/unit/user_test.rb
View File

@@ -39,11 +39,9 @@ class UserTest < ActiveSupport::TestCase
end
end
should "authenticate" do
assert(User.authenticate(@user.name, "password"), "Authentication should have succeeded")
assert(!User.authenticate(@user.name, "password2"), "Authentication should not have succeeded")
assert(User.authenticate_hash(@user.name, User.sha1("password")), "Authentication should have succeeded")
assert(!User.authenticate_hash(@user.name, User.sha1("xxx")), "Authentication should not have succeeded")
should "authenticate password" do
assert_equal(@user, @user.authenticate_password("password"))
assert_equal(false, @user.authenticate_password("password2"))
end
should "normalize its level" do