jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Major revamp of security. Passwords are first SHA1 hashed and then

Browse Source 
that hash is bcrypted.  Bcrypted hashes are stored in a new column on
users.  This separate column is only to allow for rollbacks,
eventually the old SHA1 hash column will be removed.  Sensitive cookie
details are now encrypted to prevent user tampering and more stringent
checks on secret_token and session_secret_key are enforced.
This commit is contained in:
albert
2013-03-04 22:55:41 -05:00
parent bae5835cff
commit f52181db94
13 changed files with 108 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
test/functional/maintenance/user/password_resets_controller_test.rb
View File

@@ -101,7 +101,7 @@ module Maintenance
@user = FactoryGirl.create(:user)
@nonce = FactoryGirl.create(:user_password_reset_nonce, :email => @user.email)
ActionMailer::Base.deliveries.clear
@old_password = @user.password_hash
@old_password = @user.bcrypt_password_hash
post :update, :email => @nonce.email, :key => @nonce.key
end
@@ -115,7 +115,7 @@ module Maintenance
should "change the password" do
@user.reload
assert_not_equal(@old_password, @user.password_hash)
assert_not_equal(@old_password, @user.bcrypt_password_hash)
end
should "delete the nonce" do

33
test/unit/user_test.rb
View File

@@ -35,7 +35,7 @@ class UserTest < ActiveSupport::TestCase
assert_difference("ModAction.count") do
@user.invite!(User::Levels::CONTRIBUTOR)
end
assert_equal("#{@user.id} level changed Member -> Contributor by #{CurrentUser.name}", ModAction.first.description)
assert_equal("#{@user.name} level changed Member -> Contributor by #{CurrentUser.name}", ModAction.last.description)
end
end
@@ -199,21 +199,16 @@ class UserTest < ActiveSupport::TestCase
end
end
context "cookie password hash" do
setup do
@user = FactoryGirl.create(:user, :name => "albert", :password_hash => "1234")
end
should "be correct" do
assert_equal("8ac3b1d04bdb95ba92f9e355897c880e0d88ac5a", @user.cookie_password_hash)
end
should "validate" do
assert(User.authenticate_cookie_hash(@user.name, "8ac3b1d04bdb95ba92f9e355897c880e0d88ac5a"))
end
end
context "password" do
should "match the cookie hash" do
@user = FactoryGirl.create(:user)
@user.password = "zugzug5"
@user.password_confirmation = "zugzug5"
@user.save
@user.reload
assert(User.authenticate_cookie_hash(@user.name, @user.bcrypt_password_hash))
end
should "match the confirmation" do
@user = FactoryGirl.create(:user)
@user.password = "zugzug5"
@@ -248,25 +243,25 @@ class UserTest < ActiveSupport::TestCase
should "not change the password if the password and old password are blank" do
@user = FactoryGirl.create(:user, :password => "67890")
@user.update_attributes(:password => "", :old_password => "")
assert_equal(User.sha1("67890"), @user.password_hash)
assert(@user.bcrypt_password == User.sha1("67890"))
end
should "not change the password if the old password is incorrect" do
@user = FactoryGirl.create(:user, :password => "67890")
@user.update_attributes(:password => "12345", :old_password => "abcdefg")
assert_equal(User.sha1("67890"), @user.password_hash)
assert(@user.bcrypt_password == User.sha1("67890"))
end
should "not change the password if the old password is blank" do
@user = FactoryGirl.create(:user, :password => "67890")
@user.update_attributes(:password => "12345", :old_password => "")
assert_equal(User.sha1("67890"), @user.password_hash)
assert(@user.bcrypt_password == User.sha1("67890"))
end
should "change the password if the old password is correct" do
@user = FactoryGirl.create(:user, :password => "67890")
@user.update_attributes(:password => "12345", :old_password => "67890")
assert_equal(User.sha1("12345"), @user.password_hash)
assert(@user.bcrypt_password == User.sha1("12345"))
end
context "in the json representation" do