devise-argon2 1.1.0 → 2.0.1

data/spec/devise-argon2_spec.rb

@@ -1,50 +1,296 @@
 # encoding: utf-8
 require 'spec_helper'
+require 'bcrypt'
 
-describe Devise::Encryptable::Encryptors::Argon2 do
-  let(:argon2)    { Devise::Encryptable::Encryptors::Argon2 }
-  let(:password)  { 'Tr0ub4dor&3' }
-  let(:stretches) { 10 }
+describe Devise::Models::Argon2 do
+  CORRECT_PASSWORD = 'Tr0ub4dor&3'
+  INCORRECT_PASSWORD = 'wrong'
+  DEFAULT_M_COST = 3
+  DEFAULT_T_COST = 1
+  DEFAULT_P_COST = 1
 
-  describe "used with salt + pepper" do
-    let(:salt)      { "You say you love me like salt! The simplest spice in my kingdom!" }
-    let(:pepper)    { "I don't really want to stop the show But I thought that you might like to know That the singer's going to sing a song And he wants you all to sing along" }
+  let(:user) { User.new(password: CORRECT_PASSWORD) }
 
-    describe ".compare" do
-      let(:encrypted) { Argon2::Password.create("#{password}#{salt}#{pepper}").to_s }
+  before do
+    Devise.pepper = nil
+    Devise.argon2_options = {
+      m_cost: DEFAULT_M_COST,
+      t_cost: DEFAULT_T_COST,
+      p_cost: DEFAULT_P_COST
+    }
+    User.destroy_all
+  end
+
+  def work_factors(hash)
+    hash_format = Argon2::HashFormat.new(hash)
+    {
+      m_cost: hash_format.m_cost,
+      t_cost: hash_format.t_cost,
+      p_cost: hash_format.p_cost
+    }
+  end
+
+  describe 'valid_password?' do
+    shared_examples 'a password is validated if and only if it is correct' do
+      it 'validates the correct password' do
+        expect(user.valid_password?(CORRECT_PASSWORD)).to be true
+      end
+
+      it 'does not validate an incorrect password' do
+        expect(user.valid_password?(INCORRECT_PASSWORD)).to be false
+      end
+    end
+
+    context 'no pepper' do
+      include_examples 'a password is validated if and only if it is correct'
+    end
+
+    context 'Devise.pepper is set' do
+      before do
+        Devise.pepper = 'pepper'
+      end
+
+      include_examples 'a password is validated if and only if it is correct'
+    end
+
+    context 'argon2_options[:secret] is set' do
+      before do
+        Devise.argon2_options[:secret] = 'pepper'
+      end
 
-      it "is true when the encrypted password contains the argon2id format" do
-        expect(encrypted).to match /argon2id/
-      end    
+      include_examples 'a password is validated if and only if it is correct'
+    end
+
+    context 'encrypted_password is a BCrypt hash' do
+      before do
+        Devise.pepper = 'devise pepper'
+        Devise.argon2_options.merge!({ secret: 'argon2 secret' })
+
+        # Devise peppers by concatenating password and pepper:
+        # https://github.com/heartcombo/devise/blob/main/lib/devise/encryptor.rb
+        bcrypt_hash = BCrypt::Password.create("#{CORRECT_PASSWORD}#{Devise.pepper}", cost: 4)
+
+        user.encrypted_password = bcrypt_hash
+      end
+
+      include_examples 'a password is validated if and only if it is correct'
+
+      it 'updates hash if valid password is given' do
+        expect{ user.valid_password?(CORRECT_PASSWORD) }.to(change(user, :encrypted_password))
+        expect(
+          ::Argon2::Password.verify_password(
+            CORRECT_PASSWORD,
+            user.encrypted_password,
+            'argon2 secret'
+          )
+        ).to be true
+      end
 
-      it "is true when comparing an encrypted password against given plaintext" do
-        expect(argon2.compare(encrypted, password, stretches, salt, pepper)).to be true
+      it 'does not update the hash if an invalid password is given' do
+        expect{ user.valid_password?(INCORRECT_PASSWORD) }.not_to(change(user, :encrypted_password))
       end
+    end
+
+    context 'encrypted_password is hashed with version 1 of devise-argon2' do
+      let(:user) { OldUser.new(password: CORRECT_PASSWORD) }
 
-      it "is false when comparing with wrong password" do
-        expect(argon2.compare(encrypted, 'hunter2', stretches, salt, pepper)).to be false
+      before do
+        Devise.pepper = 'devise pepper'
+        Devise.argon2_options.merge!({
+          secret: 'argon2 secret',
+          migrate_from_devise_argon2_v1: true
+        })
+
+        user.password_salt = 'devise-argon2 v1 salt'
+        user.encrypted_password = ::Argon2::Password.create(
+          "#{CORRECT_PASSWORD}#{user.password_salt}#{Devise.pepper}"
+        )
       end
 
-      it "is false when comparing with correct password but wrong salt" do
-        expect(argon2.compare(encrypted, password, stretches, 'nacl', pepper)).to be false
+      include_examples 'a password is validated if and only if it is correct'
+
+      it 'updates hash once if valid password is given' do
+        expect{ user.valid_password?(CORRECT_PASSWORD) }.to(
+          change(user, :encrypted_password)
+          .and(change(user, :password_salt).to(nil))
+        )
+        expect(
+          ::Argon2::Password.verify_password(
+            CORRECT_PASSWORD,
+            user.encrypted_password,
+            'argon2 secret'
+          )
+        ).to be true
+        expect{ user.valid_password?(CORRECT_PASSWORD) }.not_to(change(user, :encrypted_password))
       end
 
-      it "is false when comparing with correct password but wrong pepper" do
-        expect(argon2.compare(encrypted, password, stretches, salt, 'beatles')).to be false
+      it 'does not update the hash if an invalid password is given' do
+        expect{ user.valid_password?(INCORRECT_PASSWORD) }.not_to(change(user, :encrypted_password))
       end
     end
 
-    describe "without any salt or pepper" do
-      let(:encrypted) { Argon2::Password.create(password).to_s }
-      let(:salt) { nil }
-      let(:pepper) { nil }
-      let(:encrypted) { Argon2::Password.create(password).to_s }
+    describe 'updating outdated work factors' do
+      it 'updates work factors if a valid password is given' do
+        user # build user
+
+        Devise.argon2_options.merge!({
+          m_cost: 4,
+          t_cost: 3,
+          p_cost: 2
+        })
+
+        expect{ user.valid_password?(CORRECT_PASSWORD) }.to(
+          change{ work_factors(user.encrypted_password) }
+            .from({ m_cost: 1 << DEFAULT_M_COST, t_cost: DEFAULT_T_COST, p_cost: DEFAULT_P_COST})
+            .to({ m_cost: 1 << 4, t_cost: 3, p_cost: 2 })
+        )
+      end
+
+      it 'does not update work factors if an invalid password is given' do
+        user # build user
 
-      it "is still works" do
-        expect(argon2.compare(encrypted, password, stretches, salt, pepper)).to be true
+        Devise.argon2_options.merge!({
+          m_cost: 4,
+          t_cost: 3,
+          p_cost: 2
+        })
+
+        expect{ user.valid_password?(INCORRECT_PASSWORD) }
+          .not_to change{ work_factors(user.encrypted_password) }
+      end
+
+      it 'updates work factors for a persisted user' do
+        user.save!
+
+        Devise.argon2_options.merge!({
+          m_cost: 4,
+          t_cost: 3,
+          p_cost: 2
+        })
+
+        expect{ user.valid_password?(CORRECT_PASSWORD) }.to(
+          change{ work_factors(user.encrypted_password) }
+            .from({ m_cost: 1 << DEFAULT_M_COST, t_cost: DEFAULT_T_COST, p_cost: DEFAULT_P_COST})
+            .to({ m_cost: 1 << 4, t_cost: 3, p_cost: 2 })
+        )
+      end
+
+      if Argon2::VERSION >= '2.3.0'
+        it 'updates work factors if they changed via profile option' do
+          # Build user with argon2 default work factors (which match the RFC_9106_LOW_MEMORY
+          # profile.)
+          Devise.argon2_options = {}
+          user
+
+          Devise.argon2_options = { profile: :pre_rfc_9106 }
+          
+          expect{ user.valid_password?(CORRECT_PASSWORD) }.to(
+            change{ work_factors(user.encrypted_password) }
+              .to(
+                {
+                  m_cost: 1 << Argon2::Profiles[:pre_rfc_9106][:m_cost],
+                  t_cost: Argon2::Profiles[:pre_rfc_9106][:t_cost],
+                  p_cost: Argon2::Profiles[:pre_rfc_9106][:p_cost]
+                }
+              )
+          )
+        end
+
+        it 'gives precendence to the profile option over explicit configuration of work factors' do
+          Devise.argon2_options = {
+            m_cost: Argon2::Profiles[:pre_rfc_9106][:m_cost] + 1,
+            t_cost: Argon2::Profiles[:pre_rfc_9106][:t_cost] + 1,
+            p_cost: Argon2::Profiles[:pre_rfc_9106][:p_cost] + 1
+          }
+          user # build user
+
+          Devise.argon2_options = {
+            profile: :pre_rfc_9106,
+            m_cost: Argon2::Profiles[:pre_rfc_9106][:m_cost] + 1,
+            t_cost: Argon2::Profiles[:pre_rfc_9106][:t_cost] + 1,
+            p_cost: Argon2::Profiles[:pre_rfc_9106][:p_cost] + 1
+          }
+          
+          expect{ user.valid_password?(CORRECT_PASSWORD) }.to(
+            change{ work_factors(user.encrypted_password) }
+              .to(
+                {
+                  m_cost: 1 << Argon2::Profiles[:pre_rfc_9106][:m_cost],
+                  t_cost: Argon2::Profiles[:pre_rfc_9106][:t_cost],
+                  p_cost: Argon2::Profiles[:pre_rfc_9106][:p_cost]
+                }
+              )
+          )
+        end
       end
     end
 
+    it 'ignores migrate_from_devise_argon2_v1 if password_salt is not present' do
+      Devise.argon2_options.merge!({ migrate_from_devise_argon2_v1: true })
+      expect{ user.valid_password?(CORRECT_PASSWORD) }.not_to(change(user, :encrypted_password))
+    end
   end
 
+  describe 'password_digest' do
+    context 'no pepper' do
+      it 'hashes the given password with Argon2' do
+        expect(
+          Argon2::Password.verify_password(CORRECT_PASSWORD, user.encrypted_password)
+        ).to be true
+      end
+    end
+
+    context 'Devise.pepper is set' do
+      before do
+        Devise.pepper = 'pepper'
+      end
+
+      it 'uses Devise.pepper as secret key for Argon2' do
+        expect(
+          Argon2::Password.verify_password(CORRECT_PASSWORD, user.encrypted_password, 'pepper')
+        ).to be true
+      end
+    end
+
+    context 'argon2_options[:secret] is set' do
+      before do
+        Devise.argon2_options[:secret] = 'pepper'
+      end
+
+      it 'uses argon2_options[:secret] as secret key for Argon2' do
+        expect(
+          Argon2::Password.verify_password(CORRECT_PASSWORD, user.encrypted_password, 'pepper')
+        ).to be true
+      end
+    end
+
+    context 'both Devise.pepper and argon2_options[:secret] are set' do
+      before do
+        Devise.pepper = 'devise pepper'
+        Devise.argon2_options[:secret] = 'argon2_options pepper'
+      end
+
+      it 'uses argon2_options[:secret] as secret key for Argon2' do
+        expect(
+          Argon2::Password.verify_password(
+            CORRECT_PASSWORD,
+            user.encrypted_password,
+            'argon2_options pepper'
+          )
+        ).to be true
+      end
+    end
+
+    it 'uses work factors given in argon2_options' do
+      Devise.argon2_options.merge!({
+        m_cost: 4,
+        t_cost: 3,
+        p_cost: 2
+      })
+
+      expect(work_factors(user.encrypted_password)).to eq(
+        { m_cost: 1 << 4, t_cost: 3, p_cost: 2 }
+      )
+    end
+  end
 end

data/spec/orm/active_record.rb

@@ -0,0 +1 @@
+ActiveRecord::Base.logger = Logger.new(nil)

data/spec/orm/mongoid.rb

@@ -0,0 +1,5 @@
+require 'mongoid/version'
+
+Mongoid.configure do |config|
+  config.load!('spec/rails_app/config/mongoid.yml')
+end

data/spec/rails_app/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require_relative "config/application"
+
+Rails.application.load_tasks

data/spec/rails_app/app/active_record/old_user.rb

@@ -0,0 +1,3 @@
+class OldUser < ActiveRecord::Base
+  devise :database_authenticatable, :argon2
+end

data/spec/rails_app/app/active_record/user.rb

@@ -0,0 +1,3 @@
+class User < ActiveRecord::Base
+  devise :database_authenticatable, :argon2
+end

data/spec/rails_app/app/controllers/application_controller.rb

@@ -0,0 +1,3 @@
+class ApplicationController < ActionController::Base
+
+end

data/spec/rails_app/app/mongoid/old_user.rb

@@ -0,0 +1,12 @@
+class OldUser
+  include Mongoid::Document
+  
+  devise :database_authenticatable, :argon2
+
+  field :email,              type: String, default: ""
+  field :encrypted_password, type: String, default: ""
+
+  field :password_salt, type: String, default: ""
+
+  include Mongoid::Timestamps
+end

data/spec/rails_app/app/mongoid/user.rb

@@ -0,0 +1,10 @@
+class User
+  include Mongoid::Document
+  
+  devise :database_authenticatable, :argon2
+
+  field :email,              type: String, default: ""
+  field :encrypted_password, type: String, default: ""
+
+  include Mongoid::Timestamps
+end

data/spec/rails_app/bin/bundle

@@ -0,0 +1,109 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#
+# This file was generated by Bundler.
+#
+# The application 'bundle' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require "rubygems"
+
+m = Module.new do
+  module_function
+
+  def invoked_as_script?
+    File.expand_path($0) == File.expand_path(__FILE__)
+  end
+
+  def env_var_version
+    ENV["BUNDLER_VERSION"]
+  end
+
+  def cli_arg_version
+    return unless invoked_as_script? # don't want to hijack other binstubs
+    return unless "update".start_with?(ARGV.first || " ") # must be running `bundle update`
+    bundler_version = nil
+    update_index = nil
+    ARGV.each_with_index do |a, i|
+      if update_index && update_index.succ == i && a =~ Gem::Version::ANCHORED_VERSION_PATTERN
+        bundler_version = a
+      end
+      next unless a =~ /\A--bundler(?:[= ](#{Gem::Version::VERSION_PATTERN}))?\z/
+      bundler_version = $1
+      update_index = i
+    end
+    bundler_version
+  end
+
+  def gemfile
+    gemfile = ENV["BUNDLE_GEMFILE"]
+    return gemfile if gemfile && !gemfile.empty?
+
+    File.expand_path("../Gemfile", __dir__)
+  end
+
+  def lockfile
+    lockfile =
+      case File.basename(gemfile)
+      when "gems.rb" then gemfile.sub(/\.rb$/, ".locked")
+      else "#{gemfile}.lock"
+      end
+    File.expand_path(lockfile)
+  end
+
+  def lockfile_version
+    return unless File.file?(lockfile)
+    lockfile_contents = File.read(lockfile)
+    return unless lockfile_contents =~ /\n\nBUNDLED WITH\n\s{2,}(#{Gem::Version::VERSION_PATTERN})\n/
+    Regexp.last_match(1)
+  end
+
+  def bundler_requirement
+    @bundler_requirement ||=
+      env_var_version ||
+      cli_arg_version ||
+      bundler_requirement_for(lockfile_version)
+  end
+
+  def bundler_requirement_for(version)
+    return "#{Gem::Requirement.default}.a" unless version
+
+    bundler_gem_version = Gem::Version.new(version)
+
+    bundler_gem_version.approximate_recommendation
+  end
+
+  def load_bundler!
+    ENV["BUNDLE_GEMFILE"] ||= gemfile
+
+    activate_bundler
+  end
+
+  def activate_bundler
+    gem_error = activation_error_handling do
+      gem "bundler", bundler_requirement
+    end
+    return if gem_error.nil?
+    require_error = activation_error_handling do
+      require "bundler/version"
+    end
+    return if require_error.nil? && Gem::Requirement.new(bundler_requirement).satisfied_by?(Gem::Version.new(Bundler::VERSION))
+    warn "Activating bundler (#{bundler_requirement}) failed:\n#{gem_error.message}\n\nTo install the version of bundler this project requires, run `gem install bundler -v '#{bundler_requirement}'`"
+    exit 42
+  end
+
+  def activation_error_handling
+    yield
+    nil
+  rescue StandardError, LoadError => e
+    e
+  end
+end
+
+m.load_bundler!
+
+if m.invoked_as_script?
+  load Gem.bin_path("bundler", "bundle")
+end

data/spec/rails_app/bin/rails

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+APP_PATH = File.expand_path("../config/application", __dir__)
+require_relative "../config/boot"
+require "rails/commands"

data/spec/rails_app/bin/rake

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require_relative "../config/boot"
+require "rake"
+Rake.application.run

data/spec/rails_app/bin/setup

@@ -0,0 +1,33 @@
+#!/usr/bin/env ruby
+require "fileutils"
+
+# path to your application root.
+APP_ROOT = File.expand_path("..", __dir__)
+
+def system!(*args)
+  system(*args) || abort("\n== Command #{args} failed ==")
+end
+
+FileUtils.chdir APP_ROOT do
+  # This script is a way to set up or update your development environment automatically.
+  # This script is idempotent, so that you can run it at any time and get an expectable outcome.
+  # Add necessary setup steps to this file.
+
+  puts "== Installing dependencies =="
+  system! "gem install bundler --conservative"
+  system("bundle check") || system!("bundle install")
+
+  # puts "\n== Copying sample files =="
+  # unless File.exist?("config/database.yml")
+  #   FileUtils.cp "config/database.yml.sample", "config/database.yml"
+  # end
+
+  puts "\n== Preparing database =="
+  system! "bin/rails db:prepare"
+
+  puts "\n== Removing old logs and tempfiles =="
+  system! "bin/rails log:clear tmp:clear"
+
+  puts "\n== Restarting application server =="
+  system! "bin/rails restart"
+end

data/spec/rails_app/config/application.rb

@@ -0,0 +1,24 @@
+ORM = (ENV['ORM'] || 'active_record')
+
+require "rails"
+
+Bundler.require :default, ORM
+
+require "action_controller/railtie"
+
+require "#{ORM}/railtie"
+require "action_mailer/railtie"
+require 'devise-argon2'
+
+# Require the gems listed in Gemfile, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(*Rails.groups)
+
+module DummyRailsApp
+  class Application < Rails::Application
+    config.load_defaults Rails.version.match(/^\d.\d/)[0]
+    config.eager_load = false
+    config.autoload_paths.reject!{ |p| p =~ /\/app\/(\w+)$/ && !%w(controllers helpers mailers views).include?($1) }
+    config.autoload_paths += ["#{config.root}/app/#{ORM}"]
+  end
+end

data/spec/rails_app/config/boot.rb

@@ -0,0 +1,5 @@
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../../Gemfile", __dir__)
+
+require "bundler/setup" # Set up gems listed in the Gemfile.
+
+$LOAD_PATH.unshift File.expand_path('../../../lib', __dir__)

data/spec/rails_app/config/database.yml

@@ -0,0 +1,14 @@
+# SQLite. Versions 3.8.0 and up are supported.
+#   gem install sqlite3
+#
+#   Ensure the SQLite 3 gem is defined in your Gemfile
+#   gem "sqlite3"
+#
+default: &default
+  adapter: sqlite3
+  pool: 5
+  timeout: 5000
+
+test:
+  <<: *default
+  database: db/test.sqlite3

data/spec/rails_app/config/environment.rb

@@ -0,0 +1,7 @@
+ENV['RAILS_ENV'] = 'test'
+
+# Load the Rails application.
+require_relative "application"
+
+# Initialize the Rails application.
+Rails.application.initialize!

data/spec/rails_app/config/initializers/devise.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+Devise.setup do |config|
+  require "devise/orm/#{ENV['ORM'] || 'active_record'}"
+  config.stretches = 1
+end

data/spec/rails_app/config/mongoid.yml

@@ -0,0 +1,10 @@
+test:
+  clients:
+    default:
+      database: dummy_rails_app_test
+      hosts:
+        - localhost:27017
+      options:
+        read:
+          mode: :primary
+        max_pool_size: 1

data/spec/rails_app/config.ru

@@ -0,0 +1,6 @@
+# This file is used by Rack-based servers to start the application.
+
+require_relative "config/environment"
+
+run Rails.application
+Rails.application.load_server

data/spec/rails_app/db/migrate/20230617201921_devise_create_users.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class DeviseCreateUsers < ActiveRecord::Migration[6.0]
+  def change
+    create_table :users do |t|
+      ## Database authenticatable
+      t.string :email,              null: false, default: ""
+      t.string :encrypted_password, null: false, default: ""
+
+      t.timestamps null: false
+    end
+
+    add_index :users, :email,                unique: true
+  end
+end

data/spec/rails_app/db/migrate/20231004084147_devise_create_old_users.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class DeviseCreateOldUsers < ActiveRecord::Migration[7.0]
+  def change
+    create_table :old_users do |t|
+      ## Database authenticatable
+      t.string :email,              null: false, default: ""
+      t.string :encrypted_password, null: false, default: ""
+
+      t.string :password_salt
+
+      t.timestamps null: false
+    end
+
+    add_index :old_users, :email,                unique: true
+  end
+end