api: remove legacy password_hash login method.

Remove the ability to authenticate to the API with the `login` and `password_hash` url parameters. This is a legacy authentication method from Danbooru 1. How to actually generate the password_hash for this method hasn't been fully documented for many years now. It required taking the SHA1 hash of your password combined with an undocumented salt value (i.e., password_hash = sha1("choujin-steiner--#{password}")). This authentication method was also slow because it required checking the password on every API call. Checking passwords is deliberately slow because passwords are hashed with BCrypt. BCrypt takes about ~200ms per request, so using this method effectively limited you to ~5 requests per second in a single thread.
2020-03-25 04:33:12 -05:00
parent b2cf765d6d
commit e9b33dbd48
3 changed files with 1 additions and 47 deletions
--- a/app/logical/session_loader.rb
+++ b/app/logical/session_loader.rb
@@ -42,7 +42,7 @@ class SessionLoader
  end

  def has_api_authentication?
-    request.authorization.present? || params[:login].present? || params[:api_key].present? || params[:password_hash].present?
+    request.authorization.present? || params[:login].present? || params[:api_key].present?
  end

  private
@@ -57,8 +57,6 @@ class SessionLoader
      authenticate_basic_auth
    elsif params[:login].present? && params[:api_key].present?
      authenticate_api_key(params[:login], params[:api_key])
-    elsif params[:login].present? && params[:password_hash].present?
-      authenticate_legacy_api_key(params[:login], params[:password_hash])
    end
  end

@@ -74,14 +72,6 @@ class SessionLoader
    raise AuthenticationFailure unless Currentuser.user.present?
  end

-  def authenticate_legacy_api_key(name, password_hash)
-    CurrentUser.user = User.authenticate_hash(name, password_hash)
-
-    if CurrentUser.user.nil?
-      raise AuthenticationFailure.new
-    end
-  end
-
  def load_param_user(signed_user_id)
    session[:user_id] = Danbooru::MessageVerifier.new(:login).verify(signed_user_id)
    load_session_user
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -181,17 +181,6 @@ class User < ApplicationRecord
    def hash_password(password)
      Digest::SHA1.hexdigest("choujin-steiner--#{password}--")
    end
-
-    module ClassMethods
-      def authenticate_hash(name, hash)
-        user = find_by_name(name)
-        if user && user.bcrypt_password == hash
-          user
-        else
-          nil
-        end
-      end
-    end
  end

  module LevelMethods