Authenticate users with deprecated SHA-1 passwords

app/models/user.rb

@@ -123,8 +123,8 @@ class User < ActiveRecord::Base
     return nil if candidate.nil?
 
     if Tracks::Config.auth_schemes.include?('database')
-      return candidate if candidate.auth_type == 'database' &&
+      return candidate if candidate.auth_type == 'database' and
-        BCrypt::Password.new(candidate.crypted_password) == pass
+        candidate.password_matches? pass
     end
     
     if Tracks::Config.auth_schemes.include?('ldap')
@@ -216,6 +216,14 @@ class User < ActiveRecord::Base
     crypted_password =~ /^[a-f0-9]{40}$/i
   end
 
+  def password_matches?(pass)
+    if uses_deprecated_password?
+      crypted_password == User.sha1(pass)
+    else
+      BCrypt::Password.new(crypted_password) == pass
+    end
+  end
+
 protected
 
   def self.salted(s)

test/unit/user_test.rb

@@ -344,6 +344,19 @@ class UserTest < ActiveSupport::TestCase
     assert_nil u.uses_deprecated_password?
   end
 
+  def test_should_authenticate_with_deprecated_password
+    assert_nil User.authenticate('mr_deprecated', 'wrong password')
+    assert_equal users(:user_with_sha1_password),
+      User.authenticate('mr_deprecated', 'foobar')
+  end
+
+  def test_password_matches
+    assert_not_nil User.authenticate(@admin_user.login, "abracadabra")
+    assert_nil User.authenticate(@admin_user.login, "incorrect")
+    assert_not_nil User.authenticate(users(:user_with_sha1_password).login, "foobar")
+    assert_nil User.authenticate(users(:user_with_sha1_password).login, "wrong")
+  end
+  
   
   protected
     def create_user(options = {})