Major revamp of security. Passwords are first SHA1 hashed and then

that hash is bcrypted. Bcrypted hashes are stored in a new column on users. This separate column is only to allow for rollbacks, eventually the old SHA1 hash column will be removed. Sensitive cookie details are now encrypted to prevent user tampering and more stringent checks on secret_token and session_secret_key are enforced.
2013-03-04 22:55:41 -05:00
parent bae5835cff
commit f52181db94
13 changed files with 108 additions and 68 deletions
--- a/test/functional/maintenance/user/password_resets_controller_test.rb
+++ b/test/functional/maintenance/user/password_resets_controller_test.rb
@@ -101,7 +101,7 @@ module Maintenance
              @user = FactoryGirl.create(:user)
              @nonce = FactoryGirl.create(:user_password_reset_nonce, :email => @user.email)
              ActionMailer::Base.deliveries.clear
-              @old_password = @user.password_hash
+              @old_password = @user.bcrypt_password_hash
              post :update, :email => @nonce.email, :key => @nonce.key
            end
            
@@ -115,7 +115,7 @@ module Maintenance
            
            should "change the password" do
              @user.reload
-              assert_not_equal(@old_password, @user.password_hash)
+              assert_not_equal(@old_password, @user.bcrypt_password_hash)
            end
            
            should "delete the nonce" do