Module: EncryptedUserPassword
- Extended by:
- ActiveSupport::Concern
- Included in:
- User
- Defined in:
- app/models/concerns/encrypted_user_password.rb
Overview
Support for both BCrypt and PBKDF2+SHA512 user passwords Meant to be used exclusively with User model but extracted to a concern for isolation and clarity.
Constant Summary collapse
- BCRYPT_PREFIX =
'$2a$'
- PBKDF2_SHA512_PREFIX =
'$pbkdf2-sha512$'
- BCRYPT_STRATEGY =
:bcrypt
- PBKDF2_SHA512_STRATEGY =
:pbkdf2_sha512
Instance Method Summary collapse
-
#authenticatable_salt ⇒ Object
Use Devise DatabaseAuthenticatable#authenticatable_salt unless encrypted password is PBKDF2+SHA512.
- #password=(new_password) ⇒ Object
-
#valid_password?(password) ⇒ Boolean
Called by Devise during database authentication.
Instance Method Details
#authenticatable_salt ⇒ Object
Use Devise DatabaseAuthenticatable#authenticatable_salt unless encrypted password is PBKDF2+SHA512.
17 18 19 20 21 |
# File 'app/models/concerns/encrypted_user_password.rb', line 17 def authenticatable_salt return super unless pbkdf2_password? Devise::Pbkdf2Encryptable::Encryptors::Pbkdf2Sha512.split_digest(encrypted_password)[:salt] end |
#password=(new_password) ⇒ Object
32 33 34 35 36 37 38 39 40 41 42 43 44 |
# File 'app/models/concerns/encrypted_user_password.rb', line 32 def password=(new_password) @password = new_password # rubocop:disable Gitlab/ModuleWithInstanceVariables return unless new_password.present? self.encrypted_password = if Gitlab::FIPS.enabled? Devise::Pbkdf2Encryptable::Encryptors::Pbkdf2Sha512.digest( new_password, Devise::Pbkdf2Encryptable::Encryptors::Pbkdf2Sha512::STRETCHES, Devise.friendly_token[0, 16]) else Devise::Encryptor.digest(self.class, new_password) end end |
#valid_password?(password) ⇒ Boolean
Called by Devise during database authentication. Also migrates the user password to the configured encryption type (BCrypt or PBKDF2+SHA512), if needed.
26 27 28 29 30 |
# File 'app/models/concerns/encrypted_user_password.rb', line 26 def valid_password?(password) return false unless password_matches?(password) migrate_password!(password) end |