Replaced SHA256 with BCrypt.

Closes #1
mcollina · Mar 2, 2011 · ed4690b · ed4690b
1 parent 171eb37
commit ed4690b
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 6 deletions.
diff --git a/Rakefile b/Rakefile
@@ -11,6 +11,7 @@ Jeweler::Tasks.new do |gem|
   gem.description = %Q{Yauth is a extremely simple authentication solution for prototipes, developed as a warden strategy. It uses a yaml file to store usernames and hashed password. It provides a better-than-nothing security.}
   gem.email = "matteo@matteocollina.com"
   gem.authors = ["Matteo Collina"]
+  gem.add_runtime_dependency 'bcrypt', '~> 1.0'
   gem.add_runtime_dependency 'warden', '~> 1.0'
   gem.add_runtime_dependency 'thor', '~> 0.14.0'
   gem.add_development_dependency 'test_notifier', '~> 0.3.6'

diff --git a/examples/sinatra/config/users.yml b/examples/sinatra/config/users.yml
@@ -1,4 +1,9 @@
 --- 
 - user: 
     username: admin
-    password: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
+    password: !str:BCrypt::Password 
+      str: $2a$10$UMR/fB5Jn5oRNe.OV9VicOLrg9BnPyN6Vc3S/noI5LWzfMKK2Zj0q
+      "@checksum": Lrg9BnPyN6Vc3S/noI5LWzfMKK2Zj0q
+      "@cost": 10
+      "@salt": $2a$10$UMR/fB5Jn5oRNe.OV9VicO
+      "@version": !str:BCrypt::Password 2a
diff --git a/lib/yauth.rb b/lib/yauth.rb
@@ -1,7 +1,7 @@
 require 'yaml'
-require 'digest/sha1'
 require 'thor'
 require 'warden'
+require 'bcrypt'
 
 module Yauth
   class << self

diff --git a/lib/yauth/user.rb b/lib/yauth/user.rb
@@ -1,5 +1,8 @@
 
 class Yauth::User
+
+  include BCrypt
+
   attr_accessor :username, :password
   attr_reader :plain_password
 
@@ -12,7 +15,7 @@ def initialize(hash={})
   end
 
   def plain_password=(plain_password)
-    self.password = Digest::SHA256.hexdigest(plain_password)
+    self.password = Password.create(plain_password)
     @plain_password = plain_password
   end
 
@@ -26,6 +29,6 @@ def to_yaml(opts={})
 
   def authenticate(password)
     return false if password.to_s == "" 
-    Digest::SHA256.hexdigest(password) == self.password
+    self.password == password
   end
 end
diff --git a/spec/yauth/user_spec.rb b/spec/yauth/user_spec.rb
@@ -12,9 +12,10 @@
 
   it "should set the real password based on the plain password" do
     password = "hello world"
-    hash = Digest::SHA256.hexdigest(password)
+    cyphertext = mock "CypherText"
+    BCrypt::Password.should_receive(:create).and_return(cyphertext)
     subject.plain_password = password
-    subject.password.should == hash
+    subject.password.should == cyphertext
   end
 
   it "should memorize the plain password until the end of the session" do