recovery code feature was assuming Devise was using bcrypt encryption…

… configuration
18F · Oct 6, 2016 · 5731222 · 5731222
1 parent 8067934
commit 5731222
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 2 deletions.
diff --git a/Gemfile b/Gemfile
@@ -6,6 +6,7 @@ gem 'rails', '~> 4.2.6'
 gem 'activerecord-session_store'
 gem 'ahoy_matey'
 gem 'american_date'
+gem 'bcrypt'
 gem 'browserify-rails'
 gem 'coffee-rails', '~> 4.1.0'
 gem 'devise', '~> 4.1'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -610,6 +610,7 @@ DEPENDENCIES
   activerecord-session_store
   ahoy_matey
   american_date
+  bcrypt
   better_errors
   binding_of_caller
   brakeman

diff --git a/app/forms/recovery_code_form.rb b/app/forms/recovery_code_form.rb
@@ -17,7 +17,7 @@ def submit
   attr_reader :user, :code, :success
 
   def valid_recovery_code?
-    Devise::Encryptor.compare(User, user.recovery_code, code)
+    RecoveryCodeGenerator.compare(user.recovery_code, code)
   end
 
   def result

diff --git a/app/services/recovery_code_generator.rb b/app/services/recovery_code_generator.rb
@@ -1,4 +1,13 @@
 class RecoveryCodeGenerator
+  STRETCHES = 12
+
+  def self.compare(hashed_code, recovery_code)
+    return false if hashed_code.blank?
+    bcrypt = BCrypt::Password.new(hashed_code)
+    password = BCrypt::Engine.hash_secret(recovery_code, bcrypt.salt)
+    Devise.secure_compare(password, hashed_code)
+  end
+
   def initialize(user, length: 16)
     @user = user
     @length = length
@@ -15,7 +24,7 @@ def create
   attr_reader :length, :user
 
   def hashed_code
-    Devise::Encryptor.digest(User, raw_recovery_code)
+    BCrypt::Password.create(raw_recovery_code, cost: STRETCHES).to_s
   end
 
   def raw_recovery_code