jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

api: remove legacy password_hash login method.

Browse Source 
Remove the ability to authenticate to the API with the `login` and
`password_hash` url parameters. This is a legacy authentication method
from Danbooru 1. How to actually generate the password_hash for this
method hasn't been fully documented for many years now. It required
taking the SHA1 hash of your password combined with an undocumented salt
value (i.e., password_hash = sha1("choujin-steiner--#{password}")).

This authentication method was also slow because it required checking
the password on every API call. Checking passwords is deliberately slow
because passwords are hashed with BCrypt. BCrypt takes about ~200ms per
request, so using this method effectively limited you to ~5 requests per
second in a single thread.
This commit is contained in:
evazion
2020-03-25 04:33:12 -05:00
parent b2cf765d6d
commit e9b33dbd48
3 changed files with 1 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
test/functional/application_controller_test.rb
View File

@@ -95,31 +95,6 @@ class ApplicationControllerTest < ActionDispatch::IntegrationTest
end
end
context "using the password_hash parameter" do
should "succeed for password matches" do
get edit_user_path(@user), params: { login: @user.name, password_hash: User.sha1("password") }
assert_response :success
end
should "fail for password mismatches" do
get profile_path, as: :json, params: { login: @user.name }
assert_response 401
get profile_path, as: :json, params: { password_hash: User.sha1("password") }
assert_response 401
get profile_path, as: :json, params: { login: @user.name, password_hash: "bad" }
assert_response 401
end
should "succeed for non-GET requests without a CSRF token" do
assert_changes -> { @user.reload.enable_safe_mode }, from: false, to: true do
put user_path(@user), params: { login: @user.name, password_hash: User.sha1("password"), user: { enable_safe_mode: "true" } }, as: :json
assert_response :success
end
end
end
context "with cookie-based authentication" do
should "not allow non-GET requests without a CSRF token" do
# get the csrf token from the login page so we can login