aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--activemodel/CHANGELOG2
-rw-r--r--activemodel/activemodel.gemspec2
-rw-r--r--activemodel/lib/active_model/secure_password.rb14
-rw-r--r--activerecord/CHANGELOG2
4 files changed, 11 insertions, 9 deletions
diff --git a/activemodel/CHANGELOG b/activemodel/CHANGELOG
index a19d029217..9dd5e03685 100644
--- a/activemodel/CHANGELOG
+++ b/activemodel/CHANGELOG
@@ -1,6 +1,6 @@
*Rails 3.1.0 (unreleased)*
-* Added ActiveModel::SecurePassword to encapsulate dead-simple password usage with SHA2 encryption and salting [DHH]
+* Added ActiveModel::SecurePassword to encapsulate dead-simple password usage with BCrypt encryption and salting [DHH]
*Rails 3.0.2 (unreleased)*
diff --git a/activemodel/activemodel.gemspec b/activemodel/activemodel.gemspec
index 1f38e70c36..64aa7ad922 100644
--- a/activemodel/activemodel.gemspec
+++ b/activemodel/activemodel.gemspec
@@ -22,4 +22,6 @@ Gem::Specification.new do |s|
s.add_dependency('activesupport', version)
s.add_dependency('builder', '~> 3.0.0')
s.add_dependency('i18n', '~> 0.5.0')
+ s.add_dependency('bcrypt-ruby', '~> 2.1.2')
+
end
diff --git a/activemodel/lib/active_model/secure_password.rb b/activemodel/lib/active_model/secure_password.rb
index 0599ce6865..900205cf3f 100644
--- a/activemodel/lib/active_model/secure_password.rb
+++ b/activemodel/lib/active_model/secure_password.rb
@@ -1,4 +1,4 @@
-require 'digest/sha2'
+require 'bcrypt'
module ActiveModel
module SecurePassword
@@ -44,13 +44,17 @@ module ActiveModel
module InstanceMethods
# Returns self if the password is correct, otherwise false.
def authenticate(unencrypted_password)
- password_digest == encrypt_password(unencrypted_password) ? self : false
+ if BCrypt::Password.new(password_digest) == (unencrypted_password + salt_for_password)
+ self
+ else
+ false
+ end
end
# Encrypts the password into the password_digest attribute.
def password=(unencrypted_password)
@password = unencrypted_password
- self.password_digest = encrypt_password(unencrypted_password)
+ self.password_digest = BCrypt::Password.create(unencrypted_password + salt_for_password)
end
private
@@ -58,10 +62,6 @@ module ActiveModel
self.password_salt ||= self.object_id.to_s + rand.to_s
end
- def encrypt_password(unencrypted_password)
- Digest::SHA2.hexdigest(unencrypted_password + salt_for_password)
- end
-
def password_must_be_strong
if @password.present?
errors.add(:password, "must be longer than 6 characters") unless @password.size > 6
diff --git a/activerecord/CHANGELOG b/activerecord/CHANGELOG
index 0f7e65e8cd..9d22842cb3 100644
--- a/activerecord/CHANGELOG
+++ b/activerecord/CHANGELOG
@@ -1,6 +1,6 @@
*Rails 3.1.0 (unreleased)*
-* Added ActiveRecord::Base#has_secure_password (via ActiveModel::SecurePassword) to encapsulate dead-simple password usage with SHA2 encryption and salting [DHH]. Example:
+* Added ActiveRecord::Base#has_secure_password (via ActiveModel::SecurePassword) to encapsulate dead-simple password usage with BCrypt encryption and salting [DHH]. Example:
# Schema: User(name:string, password_digest:string, password_salt:string)
class User < ActiveRecord::Base