Module: EncryptedUserPassword

Extended by:: ActiveSupport::Concern

Included in:: User

Defined in:: app/models/concerns/encrypted_user_password.rb

Overview

Support for both BCrypt and PBKDF2+SHA512 user passwords Meant to be used exclusively with User model but extracted to a concern for isolation and clarity.

Constant Summary collapse

BCRYPT_PREFIX =

'$2a$'

PBKDF2_SHA512_PREFIX =

'$pbkdf2-sha512$'

BCRYPT_STRATEGY =

:bcrypt

PBKDF2_SHA512_STRATEGY =

:pbkdf2_sha512

Instance Method Summary collapse

#authenticatable_salt ⇒ Object

Use Devise DatabaseAuthenticatable#authenticatable_salt unless encrypted password is PBKDF2+SHA512.
#password=(new_password) ⇒ Object
#valid_password?(password) ⇒ Boolean

Called by Devise during database authentication.

Instance Method Details

#authenticatable_salt ⇒ `Object`

Use Devise DatabaseAuthenticatable#authenticatable_salt unless encrypted password is PBKDF2+SHA512.

# File 'app/models/concerns/encrypted_user_password.rb', line 17

def authenticatable_salt
  return super unless pbkdf2_password?

  Devise::Pbkdf2Encryptable::Encryptors::Pbkdf2Sha512.split_digest(encrypted_password)[:salt]
end

#password=(new_password) ⇒ `Object`

# File 'app/models/concerns/encrypted_user_password.rb', line 32

def password=(new_password)
  @password = new_password # rubocop:disable Gitlab/ModuleWithInstanceVariables
  return unless new_password.present?

  self.encrypted_password = if Gitlab::FIPS.enabled?
                              Devise::Pbkdf2Encryptable::Encryptors::Pbkdf2Sha512.digest(
                                new_password,
                                Devise::Pbkdf2Encryptable::Encryptors::Pbkdf2Sha512::STRETCHES,
                                Devise.friendly_token[0, 16])
                            else
                              Devise::Encryptor.digest(self.class, new_password)
                            end
end

#valid_password?(password) ⇒ `Boolean`

Called by Devise during database authentication. Also migrates the user password to the configured encryption type (BCrypt or PBKDF2+SHA512), if needed.

Returns:

(Boolean)

# File 'app/models/concerns/encrypted_user_password.rb', line 26

def valid_password?(password)
  return false unless password_matches?(password)

  migrate_password!(password)
end