diff options
-rw-r--r-- | activemodel/CHANGELOG | 2 | ||||
-rw-r--r-- | activemodel/activemodel.gemspec | 2 | ||||
-rw-r--r-- | activemodel/lib/active_model/secure_password.rb | 14 | ||||
-rw-r--r-- | activerecord/CHANGELOG | 2 |
4 files changed, 11 insertions, 9 deletions
diff --git a/activemodel/CHANGELOG b/activemodel/CHANGELOG index a19d029217..9dd5e03685 100644 --- a/activemodel/CHANGELOG +++ b/activemodel/CHANGELOG @@ -1,6 +1,6 @@ *Rails 3.1.0 (unreleased)* -* Added ActiveModel::SecurePassword to encapsulate dead-simple password usage with SHA2 encryption and salting [DHH] +* Added ActiveModel::SecurePassword to encapsulate dead-simple password usage with BCrypt encryption and salting [DHH] *Rails 3.0.2 (unreleased)* diff --git a/activemodel/activemodel.gemspec b/activemodel/activemodel.gemspec index 1f38e70c36..64aa7ad922 100644 --- a/activemodel/activemodel.gemspec +++ b/activemodel/activemodel.gemspec @@ -22,4 +22,6 @@ Gem::Specification.new do |s| s.add_dependency('activesupport', version) s.add_dependency('builder', '~> 3.0.0') s.add_dependency('i18n', '~> 0.5.0') + s.add_dependency('bcrypt-ruby', '~> 2.1.2') + end diff --git a/activemodel/lib/active_model/secure_password.rb b/activemodel/lib/active_model/secure_password.rb index 0599ce6865..900205cf3f 100644 --- a/activemodel/lib/active_model/secure_password.rb +++ b/activemodel/lib/active_model/secure_password.rb @@ -1,4 +1,4 @@ -require 'digest/sha2' +require 'bcrypt' module ActiveModel module SecurePassword @@ -44,13 +44,17 @@ module ActiveModel module InstanceMethods # Returns self if the password is correct, otherwise false. def authenticate(unencrypted_password) - password_digest == encrypt_password(unencrypted_password) ? self : false + if BCrypt::Password.new(password_digest) == (unencrypted_password + salt_for_password) + self + else + false + end end # Encrypts the password into the password_digest attribute. def password=(unencrypted_password) @password = unencrypted_password - self.password_digest = encrypt_password(unencrypted_password) + self.password_digest = BCrypt::Password.create(unencrypted_password + salt_for_password) end private @@ -58,10 +62,6 @@ module ActiveModel self.password_salt ||= self.object_id.to_s + rand.to_s end - def encrypt_password(unencrypted_password) - Digest::SHA2.hexdigest(unencrypted_password + salt_for_password) - end - def password_must_be_strong if @password.present? errors.add(:password, "must be longer than 6 characters") unless @password.size > 6 diff --git a/activerecord/CHANGELOG b/activerecord/CHANGELOG index 0f7e65e8cd..9d22842cb3 100644 --- a/activerecord/CHANGELOG +++ b/activerecord/CHANGELOG @@ -1,6 +1,6 @@ *Rails 3.1.0 (unreleased)* -* Added ActiveRecord::Base#has_secure_password (via ActiveModel::SecurePassword) to encapsulate dead-simple password usage with SHA2 encryption and salting [DHH]. Example: +* Added ActiveRecord::Base#has_secure_password (via ActiveModel::SecurePassword) to encapsulate dead-simple password usage with BCrypt encryption and salting [DHH]. Example: # Schema: User(name:string, password_digest:string, password_salt:string) class User < ActiveRecord::Base |