jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

users: refactor login and authentication logic.

Browse Source 
* Make authentication methods into User instance methods instead of
  class methods.
* Fix API key authentication to use a secure string comparison. Fixes a
  hypothetical (unlikely to be exploitable) timing attack.
* Move login logic from SessionCreator to SessionLoader.
This commit is contained in:
evazion
2020-03-25 03:41:27 -05:00
parent 64af957031
commit b2cf765d6d
14 changed files with 68 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
test/unit/api_key_test.rb
View File

@@ -18,15 +18,15 @@ class ApiKeyTest < ActiveSupport::TestCase
end
should "authenticate via api key" do
assert_not_nil(User.authenticate_api_key(@user.name, @api_key.key))
assert_equal(@user, @user.authenticate_api_key(@api_key.key))
end
should "not authenticate with the wrong api key" do
assert_nil(User.authenticate_api_key(@user.name, "xxx"))
assert_equal(false, @user.authenticate_api_key("xxx"))
end
should "not authenticate with the wrong name" do
assert_nil(User.authenticate_api_key("xxx", @api_key.key))
assert_equal(false, create(:user).authenticate_api_key(@api_key.key))
end
should "have the same limits whether or not they have an api key" do