Skip to content

Commit 015d0de

Browse files
binarylogicbinarylogic
committed
move default crypto provider back to sha::512 to preserve backwards compatibility
1 parent 68d392e commit 015d0de

File tree

1 file changed

+48
-47
lines changed

1 file changed

+48
-47
lines changed

lib/authlogic/acts_as_authentic/password.rb

Lines changed: 48 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ def self.included(klass)
1010
add_acts_as_authentic_module(Methods)
1111
end
1212
end
13-
13+
1414
# All configuration for the password aspect of acts_as_authentic.
1515
module Config
1616
# The name of the crypted_password field in the database.
@@ -21,7 +21,7 @@ def crypted_password_field(value = nil)
2121
rw_config(:crypted_password_field, value, first_column_to_exist(nil, :crypted_password, :encrypted_password, :password_hash, :pw_hash))
2222
end
2323
alias_method :crypted_password_field=, :crypted_password_field
24-
24+
2525
# The name of the password_salt field in the database.
2626
#
2727
# * <tt>Default:</tt> :password_salt, :pw_salt, :salt, nil if none exist
@@ -30,7 +30,7 @@ def password_salt_field(value = nil)
3030
rw_config(:password_salt_field, value, first_column_to_exist(nil, :password_salt, :pw_salt, :salt))
3131
end
3232
alias_method :password_salt_field=, :password_salt_field
33-
33+
3434
# Whether or not to require a password confirmation. If you don't want your users to confirm their password
3535
# just set this to false.
3636
#
@@ -40,7 +40,7 @@ def require_password_confirmation(value = nil)
4040
rw_config(:require_password_confirmation, value, true)
4141
end
4242
alias_method :require_password_confirmation=, :require_password_confirmation
43-
43+
4444
# By default passwords are required when a record is new or the crypted_password is blank, but if both of these things
4545
# are met a password is not required. In this case, blank passwords are ignored.
4646
#
@@ -56,7 +56,7 @@ def ignore_blank_passwords(value = nil)
5656
rw_config(:ignore_blank_passwords, value, true)
5757
end
5858
alias_method :ignore_blank_passwords=, :ignore_blank_passwords
59-
59+
6060
# When calling valid_password?("some pass") do you want to check that password against what's in that object or whats in
6161
# the database. Take this example:
6262
#
@@ -73,7 +73,7 @@ def check_passwords_against_database(value = nil)
7373
rw_config(:check_passwords_against_database, value, true)
7474
end
7575
alias_method :check_passwords_against_database=, :check_passwords_against_database
76-
76+
7777
# Whether or not to validate the password field.
7878
#
7979
# * <tt>Default:</tt> true
@@ -82,7 +82,7 @@ def validate_password_field(value = nil)
8282
rw_config(:validate_password_field, value, true)
8383
end
8484
alias_method :validate_password_field=, :validate_password_field
85-
85+
8686
# A hash of options for the validates_length_of call for the password field. Allows you to change this however you want.
8787
#
8888
# <b>Keep in mind this is ruby. I wanted to keep this as flexible as possible, so you can completely replace the hash or
@@ -95,7 +95,7 @@ def validates_length_of_password_field_options(value = nil)
9595
rw_config(:validates_length_of_password_field_options, value, {:minimum => 4, :if => :require_password?})
9696
end
9797
alias_method :validates_length_of_password_field_options=, :validates_length_of_password_field_options
98-
98+
9999
# A convenience function to merge options into the validates_length_of_login_field_options. So intead of:
100100
#
101101
# self.validates_length_of_password_field_options = validates_length_of_password_field_options.merge(:my_option => my_value)
@@ -106,7 +106,7 @@ def validates_length_of_password_field_options(value = nil)
106106
def merge_validates_length_of_password_field_options(options = {})
107107
self.validates_length_of_password_field_options = validates_length_of_password_field_options.merge(options)
108108
end
109-
109+
110110
# A hash of options for the validates_confirmation_of call for the password field. Allows you to change this however you want.
111111
#
112112
# <b>Keep in mind this is ruby. I wanted to keep this as flexible as possible, so you can completely replace the hash or
@@ -119,12 +119,12 @@ def validates_confirmation_of_password_field_options(value = nil)
119119
rw_config(:validates_confirmation_of_password_field_options, value, {:if => :require_password?})
120120
end
121121
alias_method :validates_confirmation_of_password_field_options=, :validates_confirmation_of_password_field_options
122-
122+
123123
# See merge_validates_length_of_password_field_options. The same thing, except for validates_confirmation_of_password_field_options
124124
def merge_validates_confirmation_of_password_field_options(options = {})
125125
self.validates_confirmation_of_password_field_options = validates_confirmation_of_password_field_options.merge(options)
126126
end
127-
127+
128128
# A hash of options for the validates_length_of call for the password_confirmation field. Allows you to change this however you want.
129129
#
130130
# <b>Keep in mind this is ruby. I wanted to keep this as flexible as possible, so you can completely replace the hash or
@@ -137,22 +137,23 @@ def validates_length_of_password_confirmation_field_options(value = nil)
137137
rw_config(:validates_length_of_password_confirmation_field_options, value, validates_length_of_password_field_options)
138138
end
139139
alias_method :validates_length_of_password_confirmation_field_options=, :validates_length_of_password_confirmation_field_options
140-
140+
141141
# See merge_validates_length_of_password_field_options. The same thing, except for validates_length_of_password_confirmation_field_options
142142
def merge_validates_length_of_password_confirmation_field_options(options = {})
143143
self.validates_length_of_password_confirmation_field_options = validates_length_of_password_confirmation_field_options.merge(options)
144144
end
145-
145+
146146
# The class you want to use to encrypt and verify your encrypted passwords. See the Authlogic::CryptoProviders module for more info
147-
# on the available methods and how to create your own.
147+
# on the available methods and how to create your own. It is strongly recommended that you use SCrpyt or BCrypt. The default is Sah512 to
148+
# support backwards compatibility.
148149
#
149150
# * <tt>Default:</tt> CryptoProviders::Sha512
150151
# * <tt>Accepts:</tt> Class
151152
def crypto_provider(value = nil)
152-
rw_config(:crypto_provider, value, CryptoProviders::SCrypt)
153+
rw_config(:crypto_provider, value, CryptoProviders::Sha512)
153154
end
154155
alias_method :crypto_provider=, :crypto_provider
155-
156+
156157
# Let's say you originally encrypted your passwords with Sha1. Sha1 is starting to join the party with MD5 and you want to switch
157158
# to something stronger. No problem, just specify your new and improved algorithm with the crypt_provider option and then let
158159
# Authlogic know you are transitioning from Sha1 using this option. Authlogic will take care of everything, including transitioning
@@ -169,18 +170,18 @@ def transition_from_crypto_providers(value = nil)
169170
end
170171
alias_method :transition_from_crypto_providers=, :transition_from_crypto_providers
171172
end
172-
173+
173174
# Callbacks / hooks to allow other modules to modify the behavior of this module.
174175
module Callbacks
175176
METHODS = [
176177
"before_password_set", "after_password_set",
177178
"before_password_verification", "after_password_verification"
178179
]
179-
180+
180181
def self.included(klass)
181182
return if klass.crypted_password_field.nil?
182183
klass.define_callbacks *METHODS
183-
184+
184185
# If Rails 3, support the new callback syntax
185186
if klass.send(klass.respond_to?(:singleton_class) ? :singleton_class : :metaclass).method_defined?(:set_callback)
186187
METHODS.each do |method|
@@ -192,7 +193,7 @@ def self.#{method}(*methods, &block)
192193
end
193194
end
194195
end
195-
196+
196197
private
197198
METHODS.each do |method|
198199
class_eval <<-"end_eval", __FILE__, __LINE__
@@ -202,34 +203,34 @@ def #{method}
202203
end_eval
203204
end
204205
end
205-
206+
206207
# The methods related to the password field.
207208
module Methods
208209
def self.included(klass)
209210
return if klass.crypted_password_field.nil?
210-
211+
211212
klass.class_eval do
212213
include InstanceMethods
213-
214+
214215
if validate_password_field
215216
validates_length_of :password, validates_length_of_password_field_options
216-
217+
217218
if require_password_confirmation
218219
validates_confirmation_of :password, validates_confirmation_of_password_field_options
219220
validates_length_of :password_confirmation, validates_length_of_password_confirmation_field_options
220221
end
221222
end
222-
223+
223224
after_save :reset_password_changed
224225
end
225226
end
226-
227+
227228
module InstanceMethods
228229
# The password
229230
def password
230231
@password
231232
end
232-
233+
233234
# This is a virtual method. Once a password is passed to it, it will create new password salt as well as encrypt
234235
# the password.
235236
def password=(pass)
@@ -241,67 +242,67 @@ def password=(pass)
241242
@password_changed = true
242243
after_password_set
243244
end
244-
245+
245246
# Accepts a raw password to determine if it is the correct password or not. Notice the second argument. That defaults to the value of
246247
# check_passwords_against_database. See that method for more information, but basically it just tells Authlogic to check the password
247248
# against the value in the database or the value in the object.
248249
def valid_password?(attempted_password, check_against_database = check_passwords_against_database?)
249250
crypted = check_against_database && send("#{crypted_password_field}_changed?") ? send("#{crypted_password_field}_was") : send(crypted_password_field)
250251
return false if attempted_password.blank? || crypted.blank?
251252
before_password_verification
252-
253+
253254
crypto_providers.each_with_index do |encryptor, index|
254255
# The arguments_type of for the transitioning from restful_authentication
255256
arguments_type = (act_like_restful_authentication? && index == 0) ||
256257
(transition_from_restful_authentication? && index > 0 && encryptor == Authlogic::CryptoProviders::Sha1) ?
257258
:restful_authentication : nil
258-
259+
259260
if encryptor.matches?(crypted, *encrypt_arguments(attempted_password, check_against_database, arguments_type))
260261
transition_password(attempted_password) if transition_password?(index, encryptor, crypted, check_against_database)
261262
after_password_verification
262263
return true
263264
end
264265
end
265-
266+
266267
false
267268
end
268-
269+
269270
# Resets the password to a random friendly token.
270271
def reset_password
271272
friendly_token = Authlogic::Random.friendly_token
272273
self.password = friendly_token
273274
self.password_confirmation = friendly_token
274275
end
275276
alias_method :randomize_password, :reset_password
276-
277+
277278
# Resets the password to a random friendly token and then saves the record.
278279
def reset_password!
279280
reset_password
280281
save_without_session_maintenance(:validate => false)
281282
end
282283
alias_method :randomize_password!, :reset_password!
283-
284+
284285
private
285286
def check_passwords_against_database?
286287
self.class.check_passwords_against_database == true
287288
end
288-
289+
289290
def crypto_providers
290291
[crypto_provider] + transition_from_crypto_providers
291292
end
292-
293+
293294
def encrypt_arguments(raw_password, check_against_database, arguments_type = nil)
294295
salt = nil
295296
salt = (check_against_database && send("#{password_salt_field}_changed?") ? send("#{password_salt_field}_was") : send(password_salt_field)) if password_salt_field
296-
297+
297298
case arguments_type
298299
when :restful_authentication
299300
[REST_AUTH_SITE_KEY, salt, raw_password, REST_AUTH_SITE_KEY].compact
300301
else
301302
[raw_password, salt].compact
302303
end
303304
end
304-
305+
305306
# Determines if we need to tranisiton the password.
306307
# If the index > 0 then we are using an "transition from" crypto provider.
307308
# If the encryptor has a cost and the cost it outdated.
@@ -311,40 +312,40 @@ def transition_password?(index, encryptor, crypted, check_against_database)
311312
(index > 0 || (encryptor.respond_to?(:cost_matches?) && !encryptor.cost_matches?(send(crypted_password_field)))) &&
312313
(!check_against_database || !send("#{crypted_password_field}_changed?"))
313314
end
314-
315+
315316
def transition_password(attempted_password)
316317
self.password = attempted_password
317318
save(:validate => false)
318319
end
319-
320+
320321
def require_password?
321322
new_record? || password_changed? || send(crypted_password_field).blank?
322323
end
323-
324+
324325
def ignore_blank_passwords?
325326
self.class.ignore_blank_passwords == true
326327
end
327-
328+
328329
def password_changed?
329330
@password_changed == true
330331
end
331-
332+
332333
def reset_password_changed
333334
@password_changed = nil
334335
end
335-
336+
336337
def crypted_password_field
337338
self.class.crypted_password_field
338339
end
339-
340+
340341
def password_salt_field
341342
self.class.password_salt_field
342343
end
343-
344+
344345
def crypto_provider
345346
self.class.crypto_provider
346347
end
347-
348+
348349
def transition_from_crypto_providers
349350
self.class.transition_from_crypto_providers
350351
end

0 commit comments

Comments
 (0)