devise-argon2 2.0.0 → 2.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/test.yml +19 -0
- data/.gitignore +1 -1
- data/CHANGELOG.md +12 -0
- data/Gemfile +2 -0
- data/README.md +2 -1
- data/devise-argon2.gemspec +3 -3
- data/lib/devise-argon2/model.rb +23 -11
- data/lib/devise-argon2/version.rb +1 -1
- data/spec/devise-argon2_spec.rb +49 -0
- metadata +9 -8
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d036bff0c949c49457df0df4a4ac902d4ed0e65e84fd26f2940bfcc973b6bcc3
|
4
|
+
data.tar.gz: 82024dfd476f476514c5548b4aac5a93c49ffffad6fe33252c153381d0b803c1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: fb3857086fc9f31fd22bec613c3fe9e93534234036db242c49b1e5aae6ac9340611916e62ec92f84e67b8fafe97610b6d947c98df7846e62d91d9e550586689b
|
7
|
+
data.tar.gz: b7e523688dab140c94d9aed10232a57a1dcb144b437073d8ec41952fe0595f8713215d5ed9658701927f50182d2cf49adb0fd7bc5792d21255edaf70ffa603f5
|
data/.github/workflows/test.yml
CHANGED
@@ -9,6 +9,7 @@ jobs:
|
|
9
9
|
matrix:
|
10
10
|
ruby-version: ['2.7', '3.0', '3.1', '3.2', 'ruby-head']
|
11
11
|
rails-version: ['~> 7.0', '~> 6.1']
|
12
|
+
argon2-version: ['2.2', '2.3']
|
12
13
|
orm:
|
13
14
|
- adapter: active_record
|
14
15
|
- adapter: mongoid
|
@@ -18,18 +19,36 @@ jobs:
|
|
18
19
|
- adapter: mongoid
|
19
20
|
mongoid-version: 7.5.4
|
20
21
|
include:
|
22
|
+
- rails-version: '~> 6.1'
|
23
|
+
ruby-version: '3.1'
|
24
|
+
argon2-version: '2.3'
|
25
|
+
devise-version: '4.8'
|
26
|
+
orm:
|
27
|
+
adapter: active_record
|
21
28
|
- rails-version: '~> 7.1'
|
22
29
|
ruby-version: '3.1'
|
30
|
+
argon2-version: '2.3'
|
31
|
+
devise-version: '4.9'
|
23
32
|
orm:
|
24
33
|
adapter: active_record
|
25
34
|
- rails-version: '~> 7.1'
|
26
35
|
ruby-version: '3.2'
|
36
|
+
argon2-version: '2.3'
|
37
|
+
devise-version: '4.9'
|
38
|
+
orm:
|
39
|
+
adapter: active_record
|
40
|
+
- rails-version: '~> 7.1'
|
41
|
+
ruby-version: '3.1'
|
42
|
+
argon2-version: '2.1'
|
43
|
+
devise-version: '4.9'
|
27
44
|
orm:
|
28
45
|
adapter: active_record
|
29
46
|
env:
|
30
47
|
RAILS_VERSION: ${{ matrix.rails-version || '~> 7.0'}}
|
31
48
|
MONGOID_VERSION: ${{ matrix.orm.mongoid-version || '8.1.2'}}
|
32
49
|
ORM: ${{ matrix.orm.adapter }}
|
50
|
+
ARGON2_VERSION: ${{ matrix.argon2-version }}
|
51
|
+
DEVISE_VERSION: ${{ matrix.devise-version || '~> 4.9' }}
|
33
52
|
steps:
|
34
53
|
- uses: actions/checkout@v4
|
35
54
|
- name: Set up Ruby ${{ matrix.ruby-version }}
|
data/.gitignore
CHANGED
data/CHANGELOG.md
CHANGED
@@ -2,6 +2,17 @@
|
|
2
2
|
|
3
3
|
## Unreleased
|
4
4
|
|
5
|
+
## [2.0.1] - 2023-10-18
|
6
|
+
|
7
|
+
### Added
|
8
|
+
- Add Argon2 and devise to the test suite
|
9
|
+
- Add @moritzhoeppner as an author
|
10
|
+
|
11
|
+
### Fixed
|
12
|
+
- Fix work factors implementation
|
13
|
+
|
14
|
+
## [2.0.0] - 2023-10-16
|
15
|
+
|
5
16
|
### Added
|
6
17
|
- Expose Argon2 options for configuring hashing work factors
|
7
18
|
- Add support for migration v1 hashes
|
@@ -17,4 +28,5 @@
|
|
17
28
|
- Remove `devise-encryptable` dependency
|
18
29
|
- Remove superflous dependency on devise `password_salt` column
|
19
30
|
|
31
|
+
Thank you to @moritzhoeppner for the significant contributions to this release!
|
20
32
|
|
data/Gemfile
CHANGED
@@ -7,6 +7,8 @@ gem 'simplecov'
|
|
7
7
|
gem 'activerecord'
|
8
8
|
gem 'sqlite3'
|
9
9
|
gem 'rails', ENV['RAILS_VERSION'] || '~> 7.0'
|
10
|
+
gem 'argon2', ENV['ARGON2_VERSION'] || '~> 2.3'
|
11
|
+
gem 'devise', ENV['DEVISE_VERSION'] || '~> 4.9'
|
10
12
|
|
11
13
|
if ENV['ORM'] == 'mongoid'
|
12
14
|
gem 'mongoid', ENV['MONGOID_VERSION'] || '~> 7.5'
|
data/README.md
CHANGED
@@ -1,5 +1,6 @@
|
|
1
1
|
# devise-argon2
|
2
2
|
[![Gem Version](https://badge.fury.io/rb/devise-argon2.svg)](https://badge.fury.io/rb/devise-argon2)
|
3
|
+
![](https://github.com/erdostom/devise-argon2/actions/workflows/test.yml/badge.svg)
|
3
4
|
|
4
5
|
A ruby gem that gives Devise models which use `database_authenticatable` the ability to hash
|
5
6
|
passwords with Argon2id.
|
@@ -39,7 +40,7 @@ or `secret` to `Argon2::Password.new`. These parameters can be set like this:
|
|
39
40
|
class User < ApplicationRecord
|
40
41
|
devise :database_authenticatable,
|
41
42
|
:argon2,
|
42
|
-
argon2_options: {
|
43
|
+
argon2_options: { t_cost: 3, p_cost: 2 }
|
43
44
|
end
|
44
45
|
```
|
45
46
|
|
data/devise-argon2.gemspec
CHANGED
@@ -6,7 +6,7 @@ require "devise-argon2/version"
|
|
6
6
|
Gem::Specification.new do |gem|
|
7
7
|
gem.name = "devise-argon2"
|
8
8
|
gem.version = Devise::Argon2::ARGON2_VERSION
|
9
|
-
gem.authors = ["Tamas Erdos"]
|
9
|
+
gem.authors = ["Tamas Erdos", "Moritz Höppner"]
|
10
10
|
gem.email = ["tamas at tamaserdos com"]
|
11
11
|
gem.description = %q{Enables Devise to hash passwords with Argon2id}
|
12
12
|
gem.summary = %q{Enables Devise to hash passwords with Argon2id}
|
@@ -18,8 +18,8 @@ Gem::Specification.new do |gem|
|
|
18
18
|
gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
|
19
19
|
gem.require_paths = ["lib"]
|
20
20
|
|
21
|
-
gem.add_dependency 'devise', '
|
22
|
-
gem.add_dependency 'argon2', '~> 2.
|
21
|
+
gem.add_dependency 'devise', '~> 4.0'
|
22
|
+
gem.add_dependency 'argon2', '~> 2.1'
|
23
23
|
|
24
24
|
|
25
25
|
gem.post_install_message = "Version 2 of devise-argon2 introduces breaking changes, please see README.md for details."
|
data/lib/devise-argon2/model.rb
CHANGED
@@ -58,21 +58,33 @@ module Devise
|
|
58
58
|
end
|
59
59
|
|
60
60
|
def outdated_work_factors?
|
61
|
+
hash_format = ::Argon2::HashFormat.new(encrypted_password)
|
62
|
+
current_work_factors = {
|
63
|
+
t_cost: hash_format.t_cost,
|
64
|
+
m_cost: hash_format.m_cost,
|
65
|
+
p_cost: hash_format.p_cost
|
66
|
+
}
|
67
|
+
current_work_factors != configured_work_factors
|
68
|
+
end
|
69
|
+
|
70
|
+
def configured_work_factors
|
61
71
|
# Since version 2.3.0 the argon2 gem exposes the default work factors via constants, see
|
62
72
|
# https://github.com/technion/ruby-argon2/commit/d62ecf8b4ec6b8c1651fade5a5ebdc856e8aef42
|
63
|
-
|
64
|
-
|
65
|
-
|
73
|
+
work_factors = {
|
74
|
+
t_cost: defined?(::Argon2::Password::DEFAULT_T_COST) ? ::Argon2::Password::DEFAULT_T_COST : 2,
|
75
|
+
m_cost: defined?(::Argon2::Password::DEFAULT_M_COST) ? ::Argon2::Password::DEFAULT_M_COST : 16,
|
76
|
+
p_cost: defined?(::Argon2::Password::DEFAULT_P_COST) ? ::Argon2::Password::DEFAULT_P_COST : 1
|
77
|
+
}.merge(self.class.argon2_options.slice(:t_cost, :m_cost, :p_cost))
|
66
78
|
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
79
|
+
# Since version 2.3.0 the argon2 gem supports defining work factors with named profiles, see
|
80
|
+
# https://github.com/technion/ruby-argon2/commit/6312a8fb3a6c6c5e771a736572e63d47485e8613
|
81
|
+
if self.class.argon2_options[:profile] && defined?(::Argon2::Profiles)
|
82
|
+
work_factors.merge!(::Argon2::Profiles[self.class.argon2_options[:profile]])
|
83
|
+
end
|
84
|
+
|
85
|
+
work_factors[:m_cost] = (1 << work_factors[:m_cost])
|
72
86
|
|
73
|
-
|
74
|
-
hash_format.m_cost != (1 << current_m_cost) ||
|
75
|
-
hash_format.p_cost != current_p_cost
|
87
|
+
work_factors
|
76
88
|
end
|
77
89
|
|
78
90
|
def migrate_hash_from_devise_argon2_v1?
|
data/spec/devise-argon2_spec.rb
CHANGED
@@ -174,6 +174,55 @@ describe Devise::Models::Argon2 do
|
|
174
174
|
.to({ m_cost: 1 << 4, t_cost: 3, p_cost: 2 })
|
175
175
|
)
|
176
176
|
end
|
177
|
+
|
178
|
+
if Argon2::VERSION >= '2.3.0'
|
179
|
+
it 'updates work factors if they changed via profile option' do
|
180
|
+
# Build user with argon2 default work factors (which match the RFC_9106_LOW_MEMORY
|
181
|
+
# profile.)
|
182
|
+
Devise.argon2_options = {}
|
183
|
+
user
|
184
|
+
|
185
|
+
Devise.argon2_options = { profile: :pre_rfc_9106 }
|
186
|
+
|
187
|
+
expect{ user.valid_password?(CORRECT_PASSWORD) }.to(
|
188
|
+
change{ work_factors(user.encrypted_password) }
|
189
|
+
.to(
|
190
|
+
{
|
191
|
+
m_cost: 1 << Argon2::Profiles[:pre_rfc_9106][:m_cost],
|
192
|
+
t_cost: Argon2::Profiles[:pre_rfc_9106][:t_cost],
|
193
|
+
p_cost: Argon2::Profiles[:pre_rfc_9106][:p_cost]
|
194
|
+
}
|
195
|
+
)
|
196
|
+
)
|
197
|
+
end
|
198
|
+
|
199
|
+
it 'gives precendence to the profile option over explicit configuration of work factors' do
|
200
|
+
Devise.argon2_options = {
|
201
|
+
m_cost: Argon2::Profiles[:pre_rfc_9106][:m_cost] + 1,
|
202
|
+
t_cost: Argon2::Profiles[:pre_rfc_9106][:t_cost] + 1,
|
203
|
+
p_cost: Argon2::Profiles[:pre_rfc_9106][:p_cost] + 1
|
204
|
+
}
|
205
|
+
user # build user
|
206
|
+
|
207
|
+
Devise.argon2_options = {
|
208
|
+
profile: :pre_rfc_9106,
|
209
|
+
m_cost: Argon2::Profiles[:pre_rfc_9106][:m_cost] + 1,
|
210
|
+
t_cost: Argon2::Profiles[:pre_rfc_9106][:t_cost] + 1,
|
211
|
+
p_cost: Argon2::Profiles[:pre_rfc_9106][:p_cost] + 1
|
212
|
+
}
|
213
|
+
|
214
|
+
expect{ user.valid_password?(CORRECT_PASSWORD) }.to(
|
215
|
+
change{ work_factors(user.encrypted_password) }
|
216
|
+
.to(
|
217
|
+
{
|
218
|
+
m_cost: 1 << Argon2::Profiles[:pre_rfc_9106][:m_cost],
|
219
|
+
t_cost: Argon2::Profiles[:pre_rfc_9106][:t_cost],
|
220
|
+
p_cost: Argon2::Profiles[:pre_rfc_9106][:p_cost]
|
221
|
+
}
|
222
|
+
)
|
223
|
+
)
|
224
|
+
end
|
225
|
+
end
|
177
226
|
end
|
178
227
|
|
179
228
|
it 'ignores migrate_from_devise_argon2_v1 if password_salt is not present' do
|
metadata
CHANGED
@@ -1,43 +1,44 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: devise-argon2
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0.
|
4
|
+
version: 2.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tamas Erdos
|
8
|
+
- Moritz Höppner
|
8
9
|
autorequire:
|
9
10
|
bindir: bin
|
10
11
|
cert_chain: []
|
11
|
-
date: 2023-10-
|
12
|
+
date: 2023-10-19 00:00:00.000000000 Z
|
12
13
|
dependencies:
|
13
14
|
- !ruby/object:Gem::Dependency
|
14
15
|
name: devise
|
15
16
|
requirement: !ruby/object:Gem::Requirement
|
16
17
|
requirements:
|
17
|
-
- - "
|
18
|
+
- - "~>"
|
18
19
|
- !ruby/object:Gem::Version
|
19
|
-
version:
|
20
|
+
version: '4.0'
|
20
21
|
type: :runtime
|
21
22
|
prerelease: false
|
22
23
|
version_requirements: !ruby/object:Gem::Requirement
|
23
24
|
requirements:
|
24
|
-
- - "
|
25
|
+
- - "~>"
|
25
26
|
- !ruby/object:Gem::Version
|
26
|
-
version:
|
27
|
+
version: '4.0'
|
27
28
|
- !ruby/object:Gem::Dependency
|
28
29
|
name: argon2
|
29
30
|
requirement: !ruby/object:Gem::Requirement
|
30
31
|
requirements:
|
31
32
|
- - "~>"
|
32
33
|
- !ruby/object:Gem::Version
|
33
|
-
version: '2.
|
34
|
+
version: '2.1'
|
34
35
|
type: :runtime
|
35
36
|
prerelease: false
|
36
37
|
version_requirements: !ruby/object:Gem::Requirement
|
37
38
|
requirements:
|
38
39
|
- - "~>"
|
39
40
|
- !ruby/object:Gem::Version
|
40
|
-
version: '2.
|
41
|
+
version: '2.1'
|
41
42
|
description: Enables Devise to hash passwords with Argon2id
|
42
43
|
email:
|
43
44
|
- tamas at tamaserdos com
|