ruby on rails - How to customize bcrypt? -


i have built working api using rails using this pluralsight blog. in app user verification i've used gems bcrypt , jwt. using mysql database , have user table named users.

which looks this:

current user table
saw production database looks this: desired user table

since have done quite research , found out while using latest version of bcrypt must have password_digest column, cant store encrypted password , password salt separately.
problem can't change schema of existing table. kindly let me know if there's work around? or there exists better approach tackle issue.

it is possible , isn't difficult. i'll show step-by-step procedure helps understand how that.

how passwords work under hood

we start locating has_secure_password. it's defined in activemodel::securepassword::classmethods. activemodel::securepassword active model concern responsible passwords. it's included activerecord::base.

if at source code can see includes instancemethodsonactivation. defines 4 instance methods:

  1. authenticate - build bcrypt::password based on value returned password_digest (normally column accessor) , tests whether matches unencrypted_password.
  2. password - ordinary attribute reader.
  3. password= - custom attribute setter. converts assignment password assignment password_digest. remember in ruby these "assignments" method calls. in other words, method translates call #password= call #password_digest=.
  4. password_confirmation= - ordinary attribute writer.

based on above code, can see model needs implement 2 methods compatible rails secure passwords. these methods #password_digest , #password_digest=. activemodel::securepassword doesn't care whether backed database columns! perspective, ordinary ruby methods.

implementation

we know #password_digest needs assemble bcrypt digest based on 2 columns in our database. conversely, #password_digest= needs disassemble bcrypt digest salt , checksum.

let's write simple test case ensure code works. our goal make test pass.

require 'test_helper'  class usertest < activesupport::testcase   name = 'gregnavis'.freeze   password = '1234abcd'.freeze    test 'passwords work'     # first, store user in database check fields     # serialized correctly.     user.create!(name: name,                  password: password,                  password_confirmation: password)      # second, reload model ensure works if reset     # state isn't serialized database.     user = user.find_by_name!(name)      # third, let's see whether authentication works.     assert(user.authenticate(password))     assert_not(user.authenticate("#{password}1"))   end end

looking @ source code of #password= can see method receives instance of bcrypt::password argument. the docs bcrypt::password list salt (which includes salt, version, , cost) , checksum attributes. means following implementation should pass test:

class user < activerecord::base   has_secure_password    def password_digest     # need glue 2 parts.     "#{password_salt}#{password_hash}"   end    def password_digest=(digest)     # need split bcrypt::password 2 parts.     self.password_salt = digest.salt     self.password_hash = digest.checksum   end end

that's it! test green. confirmed joining digest.salt , digest.checksum gives complete hash. did in console.


Comments

Post a Comment

Popular posts from this blog

Is there a better way to structure post methods in Class Based Views -

i'm using class based views in django , never specify url in ajax calls , omit action parameter in form because know these requests go through post method of class based view. notice view - profile page make many requests depending on user updating on page - post method become convoluted , if/else mess example: def post(self, request, *args, **kwargs): # handle user changing available date if request.post.get('availabledate') != none: self.updateavailabledate(request) return jsonresponse({'result':'success'}) if request.post.get('newprojectname') != none: creative_user = creativeuserprofile.objects.get(id = request.user.id) project = project.create_project(creative_user, request.post['newprojectname']) project.save() return jsonresponse({'projectid': project.id }) if request.post.get('projectimage') != none , request.files['file']: proj...
Read more

performance - Why is XCHG reg, reg a 3 micro-op instruction on modern Intel architectures? -

i'm doing micro-optimization on performance critical part of code , came across sequence of instructions (in at&t syntax): add %rax, %rbx mov %rdx, %rax mov %rbx, %rdx i thought had use case xchg allow me shave instruction , write: add %rbx, %rax xchg %rax, %rdx however, dimay found agner fog's instruction tables , xchg 3 micro-op instruction 2 cycle latency on sandy bridge, ivy bridge, broadwell, haswell , skylake. 3 whole micro-ops , 2 cycles of latency! 3 micro-ops throws off 4-1-1-1 cadence , 2 cycle latency makes worse original in best case since last 2 instructions in original might execute in parallel. now... cpu might breaking instruction micro-ops equivalent to: mov %rax, %tmp mov %rdx, %rax mov %tmp, %rdx where tmp anonymous internal register , suppose last 2 micro-ops run in parallel latency 2 cycles. given register renaming occurs on these micro-architectures, though, doesn't make sense me done way. why wouldn't register renamer ...
Read more

c# - Asp.net web api : redirect unauthorized requst to forbidden page -

im trying redirect unauthorized request forbidden page instead i'm getting forbidden page in response body , how can fix ? here's startup class : app.createperowincontext(storecontext.create); app.createperowincontext<applicationusermanager>(applicationusermanager.create); app.createperowincontext<applicationsigninmanager>(applicationsigninmanager.create); app.usecookieauthentication(new cookieauthenticationoptions { authenticationtype = defaultauthenticationtypes.applicationcookie, expiretimespan = timespan.fromdays(30), }); app.useexternalsignincookie(defaultauthenticationtypes.externalcookie); app.usetwofactorsignincookie(defaultauthenticationtypes.twofactorcookie, timespan.fromminutes(5)); app.usetwofactorrememberbrowsercookie(defaultauthenticationtypes.twofactorrememberbrowsercookie); the method im trying reach : [httpget] [authorize(roles = "admin")] public string getcurrentusername() { return userman...
Read more