BCrypt is regarded as a more secure alternative to hashing using message
digest algorithms, such as MD5 and SHA families [0, 1, 2]. Apart from
built-in salting it is adaptable to the increasing power of modern
processing units, which makes it more secure against brute-force cracking.
This commit makes all passwords hashed using BCrypt. The session tokens
remain generated using SHA1. Tests were updated, `rake test:units` and
`rake test:functionals` didn't report any regressions.
[0] http://bcrypt.sourceforge.net/
[1] http://en.wikipedia.org/w/index.php?title=Bcrypt&oldid=439692871
[2] eab1c72/README.md
- adding missing Javascript includes
- fixing jquery for showing/hiding indentity url field
- adding identity url field to signup form
- fixing bug in signup controller
This is at least one issue with this
to logout of CAS you need session information but the logout method blows this away so I do the cas log out before the session is killed so the session persistest in rails. Because I needed to move the CAS before filters into login_cas and out of the application to make it work side by side. The user will still be logined into tracks even though their CAS session is closed as the session will still be there.
def logout
@user.forget_me if logged_in?
cookies.delete :auth_token
session['user_id'] = nil
if ( SITE_CONFIG['authentication_schemes'].include? 'cas') && session[:cas_user]
CASClient::Frameworks::Rails::Filter.logout(self)
else
reset_session
notify :notice, "You have been logged out of Tracks."
redirect_to_login
end
end
The other issue I have with this is that:
I could not find a use case for having mixed auth when using CAS. The reason to move to CAS is that all your users use CAS all the time. Even for admin accounts. Moodle is a good example of this in that when you activate CAS the default is that you can now only access moodle via CAS. By allowing mixed auth and self signup you end up with a anyone (the public) being able to sign up for accounts.
* Ran rake rails:update
* Added old actionwebservice framework
* Updated RSpec and RSpec-Rails
* Removed asset_packager plugin (not compatible, Scott no longer maintaining), and replaced with bundle_fu. See the bundle_fu README for more info.
* Hacks to UJS and ARTS plugins, which are no longer supported. Probably should move off both UJS and RJS.
* Hack to flashobject_helper plugin (upgrade to Rails 2.2-compatible version if/when it comes out.)
* Hack to skinny-spec plugin, for Rails 2.2 compatibility. Should check for official release.
* Hacks to resource_feeder plugin, for Rails 2.2 compatibility. Should check for official release (not likely) or move off it.
* Addressed some deprecation warnings. More to come.
* My mobile mime type hackery is no longer necessary with new Rails features. Yay!
* Updated environment.rb.tmpl with changes
TODO:
* Restore view specs marked pending
* Fix failing integration tests.
* Try selenium tests.
* Investigate OpenID support.
* Address deprecation warnings.
* Consider moving parts of environment.rb to initializers
* Address annoying config.gem warning about highline gem
Re-wrote all Date-related code to use Datetimes, created a migration to get rid of all date columns in the database, and got rid of Time.now calls that were not time zone-aware. Lots of time zone goodness!
Made corresponding change in view.
Added User.per_page method to provide number of users per page to User.paginate button. I can remove and just pass the param to the method in the controller if that is more desirable.
Added 2 controller tests for pagination. No view tests have been added.
Changes you will need to make:
* In your environment.rb, you will need to update references to a few files per environment.rb.tmpl
* In your environment.rb, you will need to specify the local time zone of the computer that is running your Tracks install.
Other notes on my changes:
* Modified our code to take advantage of Rails 2.1's slick time zone support.
* Upgraded will_paginate for compatibility
* Hacked the Selenium on Rails plugin, which has not been updated in some time and does not support Rails 2.1
* Verified that all tests pass on my machine, including Selenium tests -- I'd like confirmation from others, too.
