Authenticate users with deprecated SHA-1 passwords

2025-12-24 03:00:12 +01:00 · 2011-09-05 01:29:48 +02:00 · 2011-09-05 01:29:48 +02:00 · e5708f5ce7
commit e5708f5ce7
parent 8e23d11054
2 changed files with 23 additions and 2 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -123,8 +123,8 @@ class User < ActiveRecord::Base
    return nil if candidate.nil?

    if Tracks::Config.auth_schemes.include?('database')
-      return candidate if candidate.auth_type == 'database' &&
-        BCrypt::Password.new(candidate.crypted_password) == pass
+      return candidate if candidate.auth_type == 'database' and
+        candidate.password_matches? pass
    end
    
    if Tracks::Config.auth_schemes.include?('ldap')
@ -216,6 +216,14 @@ class User < ActiveRecord::Base
    crypted_password =~ /^[a-f0-9]{40}$/i
  end

+  def password_matches?(pass)
+    if uses_deprecated_password?
+      crypted_password == User.sha1(pass)
+    else
+      BCrypt::Password.new(crypted_password) == pass
+    end
+  end
+
 protected

  def self.salted(s)
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@ -343,6 +343,19 @@ class UserTest < ActiveSupport::TestCase
    u.change_password("foobar", "foobar")
    assert_nil u.uses_deprecated_password?
  end
+
+  def test_should_authenticate_with_deprecated_password
+    assert_nil User.authenticate('mr_deprecated', 'wrong password')
+    assert_equal users(:user_with_sha1_password),
+      User.authenticate('mr_deprecated', 'foobar')
+  end
+
+  def test_password_matches
+    assert_not_nil User.authenticate(@admin_user.login, "abracadabra")
+    assert_nil User.authenticate(@admin_user.login, "incorrect")
+    assert_not_nil User.authenticate(users(:user_with_sha1_password).login, "foobar")
+    assert_nil User.authenticate(users(:user_with_sha1_password).login, "wrong")
+  end
  
  
  protected