Allow manual password hash MD5 for testing

This commit is contained in:
Ari Timonen 2020-04-06 23:41:42 +03:00
parent bfd866fa88
commit 2297e8c4d1
2 changed files with 13 additions and 4 deletions

View file

@ -96,6 +96,7 @@ class UsersController < ApplicationController
flash[:notice] = t(:accounts_locked) flash[:notice] = t(:accounts_locked)
else else
flash[:notice] = "%s (%s)" % [t(:login_successful), u.password_hash_s] flash[:notice] = "%s (%s)" % [t(:login_successful), u.password_hash_s]
# FIXME: this doesn't work because model is saved before
flash[:notice] << " \n%s" % I18n.t(:password_md5_scrypt) if u.password_hash_changed? flash[:notice] << " \n%s" % I18n.t(:password_md5_scrypt) if u.password_hash_changed?
save_session u save_session u
end end

View file

@ -54,6 +54,7 @@ class User < ActiveRecord::Base
attribute :lastvisit, :datetime, default: Time.now.utc attribute :lastvisit, :datetime, default: Time.now.utc
attribute :password_hash, :integer, default: PASSWORD_SCRYPT attribute :password_hash, :integer, default: PASSWORD_SCRYPT
attr_accessor :password_force
belongs_to :team, :optional => true belongs_to :team, :optional => true
has_one :profile, :dependent => :destroy has_one :profile, :dependent => :destroy
@ -331,13 +332,20 @@ class User < ActiveRecord::Base
# NOTE: function does not call save # NOTE: function does not call save
# Maybe it should return to not waste save? # Maybe it should return to not waste save?
def update_password def update_password
# Standard logic for saving password
if raw_password and raw_password.length > 0 if raw_password and raw_password.length > 0
self.password = SCrypt::Password.create(raw_password) # Allow old hash too
self.password_hash = User::PASSWORD_SCRYPT if password_hash == User::PASSWORD_MD5 and password_force
elsif password_hash == User::PASSWORD_MD5 self.password = Digest::MD5.hexdigest(raw_password)
else
self.password_hash = User::PASSWORD_SCRYPT
self.password = SCrypt::Password.create(raw_password)
end
# Update MD5 to MD5+Scrypt
elsif password_hash == User::PASSWORD_MD5 and !password_force
# Scrypt(Md5(passsword)) # Scrypt(Md5(passsword))
self.password = SCrypt::Password.create(password)
self.password_hash = User::PASSWORD_MD5_SCRYPT self.password_hash = User::PASSWORD_MD5_SCRYPT
self.password = SCrypt::Password.create(password)
end end
end end