Permalink
Browse files

fixed bug with BCrypt not used properly.

  • Loading branch information...
1 parent da1d612 commit 4f9df53425426b9368fdb3be7abfed01ef8c1951 @NoamB committed Feb 4, 2011
Showing with 25 additions and 11 deletions.
  1. +1 −0 Rakefile
  2. +1 −1 lib/sorcery/crypto_providers/bcrypt.rb
  3. +11 −5 lib/sorcery/model.rb
  4. +2 −1 spec/rails3/Gemfile
  5. +2 −0 spec/rails3/Gemfile.lock
  6. +8 −4 spec/rails3/user_spec.rb
View
@@ -22,6 +22,7 @@ Jeweler::Tasks.new do |gem|
# and development dependencies are only needed for development (ie running rake tasks, tests, etc)
# gem.add_runtime_dependency 'jabber4r', '> 0.1'
# gem.add_development_dependency 'rspec', '> 1.2.3'
+ # gem.add_runtime_dependency 'bcrypt-ruby', '~> 2.1.4'
end
Jeweler::RubygemsDotOrgTasks.new
@@ -49,7 +49,7 @@ def cost
@cost ||= 10
end
attr_writer :cost
- alias :stretches= :cost=
+ #alias :stretches= :cost=
# Creates a BCrypt hash for the password passed.
def encrypt(*tokens)
View
@@ -52,10 +52,16 @@ def sorcery_config
def authenticate(*credentials)
raise ArgumentError, "at least 2 arguments required" if credentials.size < 2
user = where("#{@sorcery_config.username_attribute_name} = ?", credentials[0]).first
- salt = user.send(@sorcery_config.salt_attribute_name) if user && !@sorcery_config.salt_attribute_name.nil?
- user if user && @sorcery_config.before_authenticate.all? {|c| user.send(c)} && (user.send(@sorcery_config.crypted_password_attribute_name)) == encrypt(credentials[1],salt)
+ _salt = user.send(@sorcery_config.salt_attribute_name) if user && !@sorcery_config.salt_attribute_name.nil? && !@sorcery_config.encryption_provider.nil?
+ user if user && @sorcery_config.before_authenticate.all? {|c| user.send(c)} && credentials_match?(user.send(@sorcery_config.crypted_password_attribute_name),credentials[1],_salt)
+ end
+
+ def credentials_match?(crypted, *tokens)
+ return crypted == tokens.join if @sorcery_config.encryption_provider.nil?
+ @sorcery_config.encryption_provider.matches?(crypted, *tokens)
end
+ # encrypt tokens using current encryption_provider.
def encrypt(*tokens)
return tokens.first if @sorcery_config.encryption_provider.nil?
@@ -78,8 +84,8 @@ def sorcery_config
# encrypts password with salt and save it.
def encrypt_password
config = sorcery_config
- self.send(:"#{config.salt_attribute_name}=", generate_random_code) if !config.salt_attribute_name.nil?
- self.send(:"#{config.crypted_password_attribute_name}=", self.class.encrypt(self.send(config.password_attribute_name),salt))
+ new_salt = self.send(:"#{config.salt_attribute_name}=", generate_random_code) if !config.salt_attribute_name.nil?
+ self.send(:"#{config.crypted_password_attribute_name}=", self.class.encrypt(self.send(config.password_attribute_name),new_salt))
end
def clear_virtual_password
@@ -131,7 +137,7 @@ def initialize
:@password_attribute_name => :password,
:@email_attribute_name => :email,
:@crypted_password_attribute_name => :crypted_password,
- :@encryption_algorithm => :sha256,
+ :@encryption_algorithm => :bcrypt,
:@encryption_provider => CryptoProviders::BCrypt,
:@custom_encryption_provider => nil,
:@encryption_key => nil,
View
@@ -3,7 +3,8 @@ source 'http://rubygems.org'
gem 'rails', '3.0.3'
gem 'sqlite3-ruby', :require => 'sqlite3'
gem "sorcery", '0.1.0', :path => '../../../'
-
+gem 'bcrypt-ruby', '~> 2.1.4', :require => 'bcrypt'
+
group :development do
gem 'rspec'
gem 'rspec-rails'
View
@@ -35,6 +35,7 @@ GEM
activesupport (3.0.3)
archive-tar-minitar (0.5.2)
arel (2.0.6)
+ bcrypt-ruby (2.1.4)
builder (2.1.2)
columnize (0.3.2)
diff-lcs (1.1.2)
@@ -105,6 +106,7 @@ PLATFORMS
ruby
DEPENDENCIES
+ bcrypt-ruby (~> 2.1.4)
rails (= 3.0.3)
rspec
rspec-rails
View
@@ -93,7 +93,7 @@
# ----------------- PLUGIN ACTIVATED -----------------------
describe User, "when activated with sorcery" do
before(:all) do
- plugin_model_configure
+ plugin_model_configure()
end
before(:each) do
@@ -137,7 +137,7 @@
it "should encrypt password when a new user is saved" do
create_new_user
- @user.send(User.sorcery_config.crypted_password_attribute_name).should == User.encrypt('secret',@user.salt)
+ User.sorcery_config.encryption_provider.matches?(@user.send(User.sorcery_config.crypted_password_attribute_name),'secret',@user.salt).should be_true
end
it "should clear the virtual password field if the encryption process worked" do
@@ -171,14 +171,14 @@
create_new_user
@user.email = "blup@bla.com"
@user.save!
- @user.send(User.sorcery_config.crypted_password_attribute_name).should == User.encrypt('secret',@user.salt)
+ User.sorcery_config.encryption_provider.matches?(@user.send(User.sorcery_config.crypted_password_attribute_name),'secret',@user.salt).should be_true
end
it "should replace the crypted_password in case a new password is set" do
create_new_user
@user.password = 'new_secret'
@user.save!
- @user.send(User.sorcery_config.crypted_password_attribute_name).should == User.encrypt('new_secret',@user.salt)
+ User.sorcery_config.encryption_provider.matches?(@user.send(User.sorcery_config.crypted_password_attribute_name),'secret',@user.salt).should be_false
end
end
@@ -209,6 +209,10 @@ class MyCrypto
def self.encrypt(*tokens)
tokens.flatten.join('').gsub(/e/,'A')
end
+
+ def self.matches?(crypted,*tokens)
+ crypted = encrypt(*tokens)
+ end
end
plugin_set_model_config_property(:encryption_algorithm, :custom)
plugin_set_model_config_property(:custom_encryption_provider, MyCrypto)

0 comments on commit 4f9df53

Please sign in to comment.