From 9f32e5bdf78c2ce85fa1be9f3916a77266b63c47 Mon Sep 17 00:00:00 2001 From: Michael Hartl Date: Mon, 1 Jul 2013 14:20:06 -0700 Subject: [PATCH 1/4] Add remember token digest --- app/helpers/sessions_helper.rb | 8 +++++--- app/models/user.rb | 13 +++++++++++-- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/app/helpers/sessions_helper.rb b/app/helpers/sessions_helper.rb index 3742569e4..d26dbbdb1 100644 --- a/app/helpers/sessions_helper.rb +++ b/app/helpers/sessions_helper.rb @@ -1,10 +1,11 @@ module SessionsHelper def sign_in(user) + user.new_remember_token! cookies.permanent[:remember_token] = user.remember_token self.current_user = user end - + def signed_in? !current_user.nil? end @@ -14,13 +15,14 @@ def current_user=(user) end def current_user - @current_user ||= User.find_by(remember_token: cookies[:remember_token]) + remember_token = User.encrypted_token(cookies[:remember_token]) + @current_user ||= User.find_by(remember_token: remember_token) end def current_user?(user) user == current_user end - + def signed_in_user unless signed_in? store_location diff --git a/app/models/user.rb b/app/models/user.rb index c524ee498..f8e6e18af 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -7,7 +7,7 @@ class User < ActiveRecord::Base dependent: :destroy has_many :followers, through: :reverse_relationships, source: :follower before_save { self.email = email.downcase } - before_save :create_remember_token + before_create :create_remember_token validates :name, presence: true, length: { maximum: 50 } VALID_EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d\-]+(\.[a-z]+)*\.[a-z]+\z/i validates :email, presence: true, format: { with: VALID_EMAIL_REGEX }, @@ -15,6 +15,11 @@ class User < ActiveRecord::Base has_secure_password validates :password, length: { minimum: 6 } + def new_remember_token! + create_remember_token + save!(validate: false) + end + def feed Micropost.from_users_followed_by(self) end @@ -31,9 +36,13 @@ def unfollow!(other_user) relationships.find_by(followed_id: other_user.id).destroy end + def User.encrypted_token(token) + Digest::SHA1.hexdigest(token) + end + private def create_remember_token - self.remember_token = SecureRandom.urlsafe_base64 + self.remember_token = User.encrypted_token(SecureRandom.urlsafe_base64) end end From 8e77d7d58c3c7ce6351bb21fa7752024d067a1ae Mon Sep 17 00:00:00 2001 From: Michael Hartl Date: Mon, 1 Jul 2013 14:37:22 -0700 Subject: [PATCH 2/4] Prep for adding correct version --- app/helpers/sessions_helper.rb | 7 ++++--- app/models/user.rb | 13 ++++++------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/app/helpers/sessions_helper.rb b/app/helpers/sessions_helper.rb index d26dbbdb1..20b185512 100644 --- a/app/helpers/sessions_helper.rb +++ b/app/helpers/sessions_helper.rb @@ -1,8 +1,9 @@ module SessionsHelper def sign_in(user) - user.new_remember_token! - cookies.permanent[:remember_token] = user.remember_token + remember_token = User.new_remember_token + cookies.permanent[:remember_token] = remember_token + user.update_attribute(:remember_token, User.encrypt(remember_token)) self.current_user = user end @@ -15,7 +16,7 @@ def current_user=(user) end def current_user - remember_token = User.encrypted_token(cookies[:remember_token]) + remember_token = User.encrypt(cookies[:remember_token]) @current_user ||= User.find_by(remember_token: remember_token) end diff --git a/app/models/user.rb b/app/models/user.rb index f8e6e18af..1bfd636f2 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -15,11 +15,6 @@ class User < ActiveRecord::Base has_secure_password validates :password, length: { minimum: 6 } - def new_remember_token! - create_remember_token - save!(validate: false) - end - def feed Micropost.from_users_followed_by(self) end @@ -36,13 +31,17 @@ def unfollow!(other_user) relationships.find_by(followed_id: other_user.id).destroy end - def User.encrypted_token(token) + def User.new_remember_token + SecureRandom.urlsafe_base64 + end + + def User.encrypt(token) Digest::SHA1.hexdigest(token) end private def create_remember_token - self.remember_token = User.encrypted_token(SecureRandom.urlsafe_base64) + self.remember_token = User.encrypt(User.new_remember_token) end end From a5427eddef269b6352573ded11aa4c5799afb114 Mon Sep 17 00:00:00 2001 From: Michael Hartl Date: Mon, 1 Jul 2013 17:16:16 -0700 Subject: [PATCH 3/4] Switch to SHA1 --- app/models/user.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/app/models/user.rb b/app/models/user.rb index 1bfd636f2..c4cca484e 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -36,7 +36,12 @@ def User.new_remember_token end def User.encrypt(token) - Digest::SHA1.hexdigest(token) + cost = if ActiveModel::SecurePassword.min_cost + BCrypt::Engine::MIN_COST + else + BCrypt::Engine::DEFAULT_COST + end + BCrypt::Password.create(token, cost: cost) end private From 324d5ced5fcbadd91fc5993d72f29b0ff8261170 Mon Sep 17 00:00:00 2001 From: Michael Hartl Date: Mon, 1 Jul 2013 17:48:01 -0700 Subject: [PATCH 4/4] Make anal changes --- app/helpers/sessions_helper.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/helpers/sessions_helper.rb b/app/helpers/sessions_helper.rb index 20b185512..9f59e1c96 100644 --- a/app/helpers/sessions_helper.rb +++ b/app/helpers/sessions_helper.rb @@ -16,7 +16,7 @@ def current_user=(user) end def current_user - remember_token = User.encrypt(cookies[:remember_token]) + remember_token = User.encrypt(cookies[:remember_token]) @current_user ||= User.find_by(remember_token: remember_token) end