From 2297e8c4d14004c71ad0066f432450eb7b13d3f4 Mon Sep 17 00:00:00 2001
From: Ari Timonen <arit@fastmail.com>
Date: Mon, 6 Apr 2020 23:41:42 +0300
Subject: [PATCH] Allow manual password hash MD5 for testing

---
 app/controllers/users_controller.rb |  1 +
 app/models/user.rb                  | 16 ++++++++++++----
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index a3489ae..cf89d4c 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -96,6 +96,7 @@ class UsersController < ApplicationController
           flash[:notice] = t(:accounts_locked)
         else
           flash[:notice] = "%s (%s)" % [t(:login_successful), u.password_hash_s]
+          # FIXME: this doesn't work because model is saved before
           flash[:notice] << " \n%s" % I18n.t(:password_md5_scrypt) if u.password_hash_changed?
           save_session u
         end
diff --git a/app/models/user.rb b/app/models/user.rb
index 9144fd4..d9d8cb4 100755
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -54,6 +54,7 @@ class User < ActiveRecord::Base
 
   attribute :lastvisit, :datetime, default: Time.now.utc
   attribute :password_hash, :integer, default: PASSWORD_SCRYPT
+  attr_accessor :password_force
 
   belongs_to :team, :optional => true
   has_one :profile, :dependent => :destroy
@@ -331,13 +332,20 @@ class User < ActiveRecord::Base
   # NOTE: function does not call save
   # Maybe it should return to not waste save?
   def update_password
+    # Standard logic for saving password
     if raw_password and raw_password.length > 0
-      self.password = SCrypt::Password.create(raw_password)
-      self.password_hash = User::PASSWORD_SCRYPT
-    elsif password_hash == User::PASSWORD_MD5
+      # Allow old hash too
+      if password_hash == User::PASSWORD_MD5 and password_force
+        self.password = Digest::MD5.hexdigest(raw_password)
+      else
+        self.password_hash = User::PASSWORD_SCRYPT
+        self.password = SCrypt::Password.create(raw_password)
+      end
+    # Update MD5 to MD5+Scrypt
+    elsif password_hash == User::PASSWORD_MD5 and !password_force
       # Scrypt(Md5(passsword))
-      self.password = SCrypt::Password.create(password)
       self.password_hash = User::PASSWORD_MD5_SCRYPT
+      self.password = SCrypt::Password.create(password)
     end
   end