api: remove legacy password_hash login method.

Remove the ability to authenticate to the API with the `login` and `password_hash` url parameters. This is a legacy authentication method from Danbooru 1. How to actually generate the password_hash for this method hasn't been fully documented for many years now. It required taking the SHA1 hash of your password combined with an undocumented salt value (i.e., password_hash = sha1("choujin-steiner--#{password}")). This authentication method was also slow because it required checking the password on every API call. Checking passwords is deliberately slow because passwords are hashed with BCrypt. BCrypt takes about ~200ms per request, so using this method effectively limited you to ~5 requests per second in a single thread.
2020-03-25 04:33:12 -05:00
parent b2cf765d6d
commit e9b33dbd48
3 changed files with 1 additions and 47 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -181,17 +181,6 @@ class User < ApplicationRecord
    def hash_password(password)
      Digest::SHA1.hexdigest("choujin-steiner--#{password}--")
    end
-
-    module ClassMethods
-      def authenticate_hash(name, hash)
-        user = find_by_name(name)
-        if user && user.bcrypt_password == hash
-          user
-        else
-          nil
-        end
-      end
-    end
  end

  module LevelMethods