diff options
| author | erdgeist <erdgeist@erdgeist.org> | 2026-07-16 19:45:42 +0200 |
|---|---|---|
| committer | erdgeist <erdgeist@erdgeist.org> | 2026-07-16 19:45:42 +0200 |
| commit | 220ed6c7914f5977d36b7617e9c38999317f57e5 (patch) | |
| tree | 85508f95b1f5df52ff1edfd5530285278a00c839 /app/models | |
| parent | 45b130fd28f60a67552121b2dfab227279615a26 (diff) | |
Implement transparent password hash migration
Add has_secure_password and bcrypt while retaining compatibility with
legacy SHA-1 password hashes. Existing users are upgraded to
password_digest on their next successful login.
Add regression tests covering both legacy and modern authentication
paths.
Diffstat (limited to 'app/models')
| -rw-r--r-- | app/models/user.rb | 31 |
1 files changed, 28 insertions, 3 deletions
diff --git a/app/models/user.rb b/app/models/user.rb index 92ac33a..5e47ae7 100644 --- a/app/models/user.rb +++ b/app/models/user.rb | |||
| @@ -1,6 +1,10 @@ | |||
| 1 | require 'digest/sha1' | 1 | require 'digest/sha1' |
| 2 | 2 | ||
| 3 | class User < ApplicationRecord | 3 | class User < ApplicationRecord |
| 4 | has_secure_password(validations: false) | ||
| 5 | |||
| 6 | alias_method :authenticate_bcrypt, :authenticate | ||
| 7 | |||
| 4 | # Mixins and Plugins | 8 | # Mixins and Plugins |
| 5 | include Authentication | 9 | include Authentication |
| 6 | include Authentication::ByPassword | 10 | include Authentication::ByPassword |
| @@ -23,9 +27,30 @@ class User < ApplicationRecord | |||
| 23 | 27 | ||
| 24 | # Authenticates a user by their login name and unencrypted password. Returns the user or nil. | 28 | # Authenticates a user by their login name and unencrypted password. Returns the user or nil. |
| 25 | def self.authenticate(login, password) | 29 | def self.authenticate(login, password) |
| 26 | return nil if login.blank? || password.blank? | 30 | return if login.blank? || password.blank? |
| 27 | u = find_by_login(login) # need to get the salt | 31 | |
| 28 | u && u.authenticated?(password) ? u : nil | 32 | user = find_by(login: login) |
| 33 | return unless user | ||
| 34 | |||
| 35 | user&.authenticate(password) | ||
| 36 | end | ||
| 37 | |||
| 38 | def authenticate(password) | ||
| 39 | if password_digest.present? | ||
| 40 | return self if authenticate_bcrypt(password) | ||
| 41 | return nil | ||
| 42 | end | ||
| 43 | |||
| 44 | return nil unless authenticate_legacy(password) | ||
| 45 | |||
| 46 | transaction do | ||
| 47 | self.password = password | ||
| 48 | self.crypted_password = nil | ||
| 49 | self.salt = nil | ||
| 50 | save!(validate: false) | ||
| 51 | end | ||
| 52 | |||
| 53 | self | ||
| 29 | end | 54 | end |
| 30 | 55 | ||
| 31 | # TODO: Do we really want to have downcase logins only? | 56 | # TODO: Do we really want to have downcase logins only? |
