devise-argon2 1.1.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6710d39a7495e895f798cb907b4d4e4d67fa0f39fd3141d2a4d76d6da0c0b7a4
-  data.tar.gz: 48086d611acd10f4d91b2ccfa229bac0abe6f587abdae1a3b3df154c6d2d6408
+  metadata.gz: 6d20fef20b04b01fd33fd4e8b7104f50ef57ce75e6a4406df46a3ea10fe693a1
+  data.tar.gz: 7b66c6a1e646eea75a16c43ae37a95b557e6342488885a73ab60a80d3d5903a5
 SHA512:
-  metadata.gz: 9e1be2f0b26ca41bb61ea3f42d1bfae79e59b1a670fe23574d1453138173caa8e4267266a169d9bfcc15bead58be9fb8009d70d183bf18a22967682ba58c095a
-  data.tar.gz: 22671a23d33b2de4c6c5ee5e50d1e5eb6a46009c338612256138b8ad72ff05cef442854c9f6ceab4f7a42934fbbafad0d213ce898c9c6ce6916c58625bed0335
+  metadata.gz: 668de52215782a24691ec1d44ced5c85376d99099da8352c583a3452fb78d60e928fef311efe5bdfadffc5dfac130b1affabf9ce26b0197ea807d5602ed257d8
+  data.tar.gz: 12669cb6bbd94d3cc6e0427a6bf805152417f47858145daf6fba20907d32c10f9c8bedf4535a7ede8af0c572723886537ee782967e7b9b7e5566ec01c6f6ec27

data/.github/workflows/test.yml

@@ -0,0 +1,47 @@
+name: Test suite
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['2.7', '3.0', '3.1', '3.2', 'ruby-head']
+        rails-version: ['~> 7.0', '~> 6.1']
+        orm:
+          - adapter: active_record
+          - adapter: mongoid
+            mongoid-version: 8.1.2
+          - adapter: mongoid
+            mongoid-version: 8.0.6
+          - adapter: mongoid
+            mongoid-version: 7.5.4
+        include:
+          - rails-version: '~> 7.1'
+            ruby-version: '3.1'
+            orm:
+              adapter: active_record
+          - rails-version: '~> 7.1'
+            ruby-version: '3.2'
+            orm:
+              adapter: active_record
+    env:
+      RAILS_VERSION: ${{ matrix.rails-version  || '~> 7.0'}}
+      MONGOID_VERSION: ${{ matrix.orm.mongoid-version || '8.1.2'}}
+      ORM: ${{ matrix.orm.adapter }}
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Ruby ${{ matrix.ruby-version }}
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    - uses: supercharge/mongodb-github-action@1.10.0
+      if: ${{ matrix.orm.adapter == 'mongoid' }}
+    - name: Setup rails test environment
+      run: |
+        cd spec/rails_app
+        RAILS_ENV=test bin/rails db:setup
+    - name: Run tests
+      run: bundle exec rspec

data/.gitignore

@@ -12,6 +12,9 @@ lib/bundler/man
 pkg
 rdoc
 spec/reports
+spec/rails_app/log/*
+spec/rails_app/tmp/*
+spec/rails_app/db/test.sqlite3
 test/tmp
 test/version_tmp
 tmp

data/CHANGELOG.md

@@ -0,0 +1,20 @@
+# Changelog 
+
+## Unreleased
+
+### Added
+- Expose Argon2 options for configuring hashing work factors
+- Add support for migration v1 hashes
+- Add support for migrating bcrypt hashes
+- Add tests for Mongoid
+- Add Changelog :)
+ 
+### Changed
+- Change salting / peppering mechanism
+- Change CI from Travis to GitHub Actions
+ 
+### Removed 
+- Remove `devise-encryptable` dependency
+- Remove superflous dependency on devise `password_salt` column
+
+

data/Gemfile

@@ -1,10 +1,13 @@
 source 'https://rubygems.org'
 
-# Specify your gem's dependencies in gvoe_auth-client.gemspec
 gemspec
 
 gem 'rspec'
 gem 'simplecov'
-gem 'activesupport'
-gem 'activemodel'
-gem 'pry'
+gem 'activerecord'
+gem 'sqlite3'
+gem 'rails', ENV['RAILS_VERSION'] || '~> 7.0'
+
+if ENV['ORM'] == 'mongoid'
+  gem 'mongoid', ENV['MONGOID_VERSION'] || '~> 7.5'
+end

data/README.md

@@ -1,41 +1,124 @@
-devise-argon2 [![Build Status](https://secure.travis-ci.org/erdostom/devise-argon2.png)][Continuous Integration] [![Gem Version](https://badge.fury.io/rb/devise-argon2.svg)](https://badge.fury.io/rb/devise-argon2)
-=============
+# devise-argon2 
+[![Gem Version](https://badge.fury.io/rb/devise-argon2.svg)](https://badge.fury.io/rb/devise-argon2)
 
-**A [devise-encryptable] password encryptor that uses [argon2]**
+A ruby gem that gives Devise models which use `database_authenticatable` the ability to hash
+passwords with Argon2id.
 
-  * [Continuous Integration]
+## Installation
 
-[Continuous Integration]: http://travis-ci.org/erdostom/devise-argon2 "Continuous integration @ travis-ci.org"
-
-[argon2]: https://github.com/technion/ruby-argon2
-[devise]: https://github.com/plataformatec/devise
-[devise-encryptable]: https://github.com/plataformatec/devise-encryptable
-
-## Why use Argon2?
-
-Argon2 won Password Hashing Competition and offers additional security compared to the default `bcrypt` by adding a memory cost. More info:
-
-- https://github.com/P-H-C/phc-winner-argon2
-- https://hynek.me/articles/storing-passwords/
+```
+bundle add devise-argon2
+```
 
 ## Usage
 
-Assuming you have [devise] (>= 2.1) and the [devise-encryptable] plugin
-set up in your application, add `devise-argon2` to your `Gemfile` and `bundle`:
-
-    gem 'devise-argon2'
+Add `devise :argon2` to your Devise model. For example:
+
+```
+class User < ApplicationRecord
+  devise :database_authenticatable, :argon2
+end
+```
+
+Now the password of a newly created user will be hashed with Argon2id. Existing BCrypt hashes will
+continue to work; if the password of a user is hashed with BCrypt, the Argon2id hash will replace
+the existing hash as soon as a user signs in (more specifically: as soon as `valid_password?`
+is called with a valid password).
+
+## Configuration
+
+### Argon2 options
+
+For Argon2 hashing the gem [ruby-argon2](https://github.com/technion/ruby-argon2) is used, which
+provides FFI bindings to the
+[Argon 2 reference implementation](https://github.com/P-H-C/phc-winner-argon2).
+`ruby-argon2` can be configured by passing parameters like `profile`, `t_cost`, `m_cost`, `p_cost`,
+or `secret` to `Argon2::Password.new`. These parameters can be set like this:
+
+```
+class User < ApplicationRecord
+  devise :database_authenticatable,
+    :argon2,
+    argon2_options: {  t_cost: 3, p_cost: 2 }
+end
+```
+
+If the the configured work factors differ from the work factors of the hash in the database, the
+password will be re-hashed as soon as `valid_password?` is called with a valid password.
+
+### Pepper/secret key
+
+The [Argon 2 reference implementation](https://github.com/P-H-C/phc-winner-argon2#library) has a
+built-in pepper which is called `secret`. This Argon2 secret key can be set like this:
+
+```
+class User < ApplicationRecord
+  devise :database_authenticatable,
+    :argon2,
+    argon2_options: { secret: ENV['ARGON2_SECRET_KEY'] }
+end
+```
+
+Traditionally, peppers in Devise are configured by setting `config.pepper` in `devise.rb`. This
+option in honored but `argon2_options[:secret]` takes precedence over `config.pepper`. Specifically:
+- `config.pepper` is used as secret key for new hashes if and only if `argon2_options[:secret]` is
+not set.
+- The verification of existing BCrypt hashes is not touched, so it continues to use `config.pepper`
+as pepper.
+
+## Updating from version 1
+
+With version 2 come two major changes: First, `devise-encryptable` is no longer needed. Second, the mechanism for salting
+and peppering has changed: Salts are now managed by Argon2 and the pepper is passed as secret key
+parameter. If you have existing hashes in your database that have been generated by
+devise-argon2 v1, you'll need to set `:migrate_from_devise_argon2_v1` in `argon2_options`.
+
+With this option your existing hashes will continue to work as the old mechanism for salting and
+peppering is used if and only if `password_salt` is truthy. The first time you pass a valid
+password to `valid_password?`, the hash will be updated and `password_salt` will be set to `nil`.
+The next time you call `valid_password?` the new salting and peppering mechanism will be used
+because `password_salt` is not truthy anymore.
+
+As soon as all `password_salt` fields are set to `nil`, you can delete the column from the database
+and remove `:migrate_from_devise_argon2_v1` from `argon2_options`.
+
+Please note that this works only if your database table has a field `password_salt`.
+
+### Upgrade Steps
+
+1. Update your `Gemfile` to use `devise-argon2` version 2: `gem 'devise-argon2', '~> 2.0'`
+1. Remove `devise-encryptable` from your `Gemfile`
+1. Run `bundle install`
+1. Remove the line `config.encryptor = :argon2` from `config/initializers/devise.rb`
+1. Change your Devise model by removing `:encryptable` and adding `:argon2, argon2_options: { migrate_from_devise_argon2_v1: true }`
+    1. It should now look something like this
+   
+```
+class User < ApplicationRecord
+  devise :database_authenticatable,
+    :argon2,
+    argon2_options: { migrate_from_devise_argon2_v1: true }
+end
+```
+
+That's it, you're done! Your users will now be able to log in with their existing passwords and their passwords will be migrated to the V2 format the next time they log in.
+
+---
+
+Once all of your users' passwords are migrated to the V2 format:
+   1. Remove the `argon2_options { migrated_from_devise_argon2_v1: true }` line from your Devise model
+   1. Delete the `password_salt` column from your database using a migration like this:
+```
+class RemovePasswordSaltFromUsers < ActiveRecord::Migration[7.1]
+  def change
+    remove_column :users, :password_salt, :string
+  end
+end
+```
+
+Note: If you do this before all of your users' passwords are migrated to the V2 format, they will be unable to log 
+in with their current passwords.
 
-Then open up your [devise] configuration,`config/initializers/devise.rb` and configure your encryptor to be `argon2`:
-
-    # config/initializers/devise.rb
-    Devise.setup do |config|
-      # ..
-      config.encryptor = :argon2
-      # ...
-    end
-
-It is also recommended to uncomment (or add) `config.pepper` with a random
-string that will be used in addition to the per-user `password_salt` when hashing.
 
 ## Contributing
 
@@ -45,6 +128,10 @@ string that will be used in addition to the per-user `password_salt` when hashin
 4. Push to the branch (`git push origin my-new-feature`)
 5. Create new Pull Request
 
-## Copyright
+## Contributors
+
+Please see here for full list of contributors: https://github.com/erdostom/devise-argon2/graphs/contributors
+
+## License
 
 Released under MIT License.

data/devise-argon2.gemspec

@@ -1,23 +1,26 @@
 # -*- encoding: utf-8 -*-
 lib = File.expand_path('../lib', __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require "devise/encryptable/encryptors/argon2/version"
+require "devise-argon2/version"
 
 Gem::Specification.new do |gem|
-  gem.name          = "devise-argon2"
-  gem.version       = Devise::Encryptable::Encryptors::ARGON2_VERSION
-  gem.authors       = ["Tamas Erdos"]
-  gem.email         = ["tamas at tamaserdos com"]
-  gem.description   = %q{A devise-encryptable password encryptor that uses Argon2}
-  gem.summary       = %q{A devise-encryptable password encryptor that uses Argon2}
-  gem.homepage      = "https://github.com/erdostom/devise-argon2"
+  gem.name = "devise-argon2"
+  gem.version = Devise::Argon2::ARGON2_VERSION
+  gem.authors = ["Tamas Erdos"]
+  gem.email = ["tamas at tamaserdos com"]
+  gem.description = %q{Enables Devise to hash passwords with Argon2id}
+  gem.summary = %q{Enables Devise to hash passwords with Argon2id}
+  gem.license = 'MIT'
+  gem.homepage = "https://github.com/erdostom/devise-argon2"
 
-  gem.files         = `git ls-files`.split($/)
-  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
-  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.files = `git ls-files`.split($/)
+  gem.executables = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
+  gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
   gem.add_dependency 'devise', '>= 2.1.0'
-  gem.add_dependency 'devise-encryptable', '>= 0.2.0'
   gem.add_dependency 'argon2', '~> 2.0'
+
+
+  gem.post_install_message = "Version 2 of devise-argon2 introduces breaking changes, please see README.md for details."
 end

data/lib/devise-argon2/model.rb

@@ -0,0 +1,89 @@
+require 'argon2'
+
+module Devise
+  module Models
+    module Argon2
+      def valid_password?(password)
+        is_valid = hash_needs_update = false
+        
+        if ::Argon2::Password.valid_hash?(encrypted_password)
+          if migrate_hash_from_devise_argon2_v1?
+            is_valid = ::Argon2::Password.verify_password(
+              "#{password}#{password_salt}#{self.class.pepper}",
+              encrypted_password
+            )
+            hash_needs_update = true
+          else
+            argon2_secret = (self.class.argon2_options[:secret] || self.class.pepper)
+            is_valid = ::Argon2::Password.verify_password(
+              password,
+              encrypted_password,
+              argon2_secret
+            )
+            hash_needs_update = outdated_work_factors?
+          end
+        else
+          # Devise models are included in a fixed order, see
+          # https://github.com/heartcombo/devise/blob/f6e73e5b5c8f519f4be29ac9069c6ed8a2343ce4/lib/devise/models.rb#L79.
+          # Since we don't specify where this model should be inserted when we call add_module,
+          # it will be inserted at the end, i.e. after DatabaseAuthenticatable (see
+          # https://github.com/heartcombo/devise/blob/f6e73e5b5c8f519f4be29ac9069c6ed8a2343ce4/lib/devise.rb#L393). 
+          # So we can call DatabaseAuthenticable's valid_password? with super.
+          is_valid = super
+          hash_needs_update = true
+        end
+
+        update_hash(password) if is_valid && hash_needs_update
+
+        is_valid
+      end
+
+      protected
+
+      def password_digest(password)
+        hasher_options = self.class.argon2_options.except(:migrate_from_devise_argon2_v1)
+        hasher_options[:secret] ||= self.class.pepper
+        hasher = ::Argon2::Password.new(hasher_options)
+        hasher.create(password)
+      end
+
+      private
+
+      def update_hash(password)
+        attributes = { encrypted_password: password_digest(password) }
+        attributes[:password_salt] = nil if migrate_hash_from_devise_argon2_v1?
+
+        self.assign_attributes(attributes)
+        self.save if self.persisted?
+      end
+
+      def outdated_work_factors?
+        # Since version 2.3.0 the argon2 gem exposes the default work factors via constants, see
+        # https://github.com/technion/ruby-argon2/commit/d62ecf8b4ec6b8c1651fade5a5ebdc856e8aef42
+        default_t_cost = defined?(::Argon2::Password::DEFAULT_T_COST) ? ::Argon2::Password::DEFAULT_T_COST : 2
+        default_m_cost = defined?(::Argon2::Password::DEFAULT_M_COST) ? ::Argon2::Password::DEFAULT_M_COST : 16
+        default_p_cost = defined?(::Argon2::Password::DEFAULT_P_COST) ? ::Argon2::Password::DEFAULT_P_COST : 1
+
+        current_t_cost = self.class.argon2_options[:t_cost] || default_t_cost
+        current_m_cost = self.class.argon2_options[:m_cost] || default_m_cost
+        current_p_cost = self.class.argon2_options[:p_cost] || default_p_cost
+        
+        hash_format = ::Argon2::HashFormat.new(encrypted_password)
+
+        hash_format.t_cost != current_t_cost ||
+          hash_format.m_cost != (1 << current_m_cost) ||
+          hash_format.p_cost != current_p_cost
+      end
+
+      def migrate_hash_from_devise_argon2_v1?
+        self.class.argon2_options[:migrate_from_devise_argon2_v1] &&
+          defined?(password_salt) &&
+          password_salt
+      end
+
+      module ClassMethods
+        Devise::Models.config(self, :argon2_options)
+      end
+    end
+  end
+end

data/lib/devise-argon2/version.rb

@@ -0,0 +1,5 @@
+module Devise
+  module Argon2
+    ARGON2_VERSION = '2.0.0'
+  end
+end

data/lib/devise-argon2.rb

@@ -1,4 +1,9 @@
 require 'devise'
-require 'devise-encryptable'
-require "devise/encryptable/encryptors/argon2/version"
-require "devise/encryptable/encryptors/argon2"
+require 'devise-argon2/version'
+
+module Devise
+  add_module(:argon2, :model => 'devise-argon2/model')
+  
+  mattr_accessor :argon2_options
+  @@argon2_options = {}
+end

data/spec/devise-argon2_spec.rb

@@ -1,50 +1,247 @@
 # encoding: utf-8
 require 'spec_helper'
+require 'bcrypt'
 
-describe Devise::Encryptable::Encryptors::Argon2 do
-  let(:argon2)    { Devise::Encryptable::Encryptors::Argon2 }
-  let(:password)  { 'Tr0ub4dor&3' }
-  let(:stretches) { 10 }
+describe Devise::Models::Argon2 do
+  CORRECT_PASSWORD = 'Tr0ub4dor&3'
+  INCORRECT_PASSWORD = 'wrong'
+  DEFAULT_M_COST = 3
+  DEFAULT_T_COST = 1
+  DEFAULT_P_COST = 1
 
-  describe "used with salt + pepper" do
-    let(:salt)      { "You say you love me like salt! The simplest spice in my kingdom!" }
-    let(:pepper)    { "I don't really want to stop the show But I thought that you might like to know That the singer's going to sing a song And he wants you all to sing along" }
+  let(:user) { User.new(password: CORRECT_PASSWORD) }
 
-    describe ".compare" do
-      let(:encrypted) { Argon2::Password.create("#{password}#{salt}#{pepper}").to_s }
+  before do
+    Devise.pepper = nil
+    Devise.argon2_options = {
+      m_cost: DEFAULT_M_COST,
+      t_cost: DEFAULT_T_COST,
+      p_cost: DEFAULT_P_COST
+    }
+    User.destroy_all
+  end
+
+  def work_factors(hash)
+    hash_format = Argon2::HashFormat.new(hash)
+    {
+      m_cost: hash_format.m_cost,
+      t_cost: hash_format.t_cost,
+      p_cost: hash_format.p_cost
+    }
+  end
 
-      it "is true when the encrypted password contains the argon2id format" do
-        expect(encrypted).to match /argon2id/
-      end    
+  describe 'valid_password?' do
+    shared_examples 'a password is validated if and only if it is correct' do
+      it 'validates the correct password' do
+        expect(user.valid_password?(CORRECT_PASSWORD)).to be true
+      end
 
-      it "is true when comparing an encrypted password against given plaintext" do
-        expect(argon2.compare(encrypted, password, stretches, salt, pepper)).to be true
+      it 'does not validate an incorrect password' do
+        expect(user.valid_password?(INCORRECT_PASSWORD)).to be false
       end
+    end
+
+    context 'no pepper' do
+      include_examples 'a password is validated if and only if it is correct'
+    end
+
+    context 'Devise.pepper is set' do
+      before do
+        Devise.pepper = 'pepper'
+      end
+
+      include_examples 'a password is validated if and only if it is correct'
+    end
+
+    context 'argon2_options[:secret] is set' do
+      before do
+        Devise.argon2_options[:secret] = 'pepper'
+      end
+
+      include_examples 'a password is validated if and only if it is correct'
+    end
 
-      it "is false when comparing with wrong password" do
-        expect(argon2.compare(encrypted, 'hunter2', stretches, salt, pepper)).to be false
+    context 'encrypted_password is a BCrypt hash' do
+      before do
+        Devise.pepper = 'devise pepper'
+        Devise.argon2_options.merge!({ secret: 'argon2 secret' })
+
+        # Devise peppers by concatenating password and pepper:
+        # https://github.com/heartcombo/devise/blob/main/lib/devise/encryptor.rb
+        bcrypt_hash = BCrypt::Password.create("#{CORRECT_PASSWORD}#{Devise.pepper}", cost: 4)
+
+        user.encrypted_password = bcrypt_hash
       end
 
-      it "is false when comparing with correct password but wrong salt" do
-        expect(argon2.compare(encrypted, password, stretches, 'nacl', pepper)).to be false
+      include_examples 'a password is validated if and only if it is correct'
+
+      it 'updates hash if valid password is given' do
+        expect{ user.valid_password?(CORRECT_PASSWORD) }.to(change(user, :encrypted_password))
+        expect(
+          ::Argon2::Password.verify_password(
+            CORRECT_PASSWORD,
+            user.encrypted_password,
+            'argon2 secret'
+          )
+        ).to be true
       end
 
-      it "is false when comparing with correct password but wrong pepper" do
-        expect(argon2.compare(encrypted, password, stretches, salt, 'beatles')).to be false
+      it 'does not update the hash if an invalid password is given' do
+        expect{ user.valid_password?(INCORRECT_PASSWORD) }.not_to(change(user, :encrypted_password))
       end
     end
 
-    describe "without any salt or pepper" do
-      let(:encrypted) { Argon2::Password.create(password).to_s }
-      let(:salt) { nil }
-      let(:pepper) { nil }
-      let(:encrypted) { Argon2::Password.create(password).to_s }
+    context 'encrypted_password is hashed with version 1 of devise-argon2' do
+      let(:user) { OldUser.new(password: CORRECT_PASSWORD) }
+
+      before do
+        Devise.pepper = 'devise pepper'
+        Devise.argon2_options.merge!({
+          secret: 'argon2 secret',
+          migrate_from_devise_argon2_v1: true
+        })
 
-      it "is still works" do
-        expect(argon2.compare(encrypted, password, stretches, salt, pepper)).to be true
+        user.password_salt = 'devise-argon2 v1 salt'
+        user.encrypted_password = ::Argon2::Password.create(
+          "#{CORRECT_PASSWORD}#{user.password_salt}#{Devise.pepper}"
+        )
+      end
+
+      include_examples 'a password is validated if and only if it is correct'
+
+      it 'updates hash once if valid password is given' do
+        expect{ user.valid_password?(CORRECT_PASSWORD) }.to(
+          change(user, :encrypted_password)
+          .and(change(user, :password_salt).to(nil))
+        )
+        expect(
+          ::Argon2::Password.verify_password(
+            CORRECT_PASSWORD,
+            user.encrypted_password,
+            'argon2 secret'
+          )
+        ).to be true
+        expect{ user.valid_password?(CORRECT_PASSWORD) }.not_to(change(user, :encrypted_password))
+      end
+
+      it 'does not update the hash if an invalid password is given' do
+        expect{ user.valid_password?(INCORRECT_PASSWORD) }.not_to(change(user, :encrypted_password))
       end
     end
 
+    describe 'updating outdated work factors' do
+      it 'updates work factors if a valid password is given' do
+        user # build user
+
+        Devise.argon2_options.merge!({
+          m_cost: 4,
+          t_cost: 3,
+          p_cost: 2
+        })
+
+        expect{ user.valid_password?(CORRECT_PASSWORD) }.to(
+          change{ work_factors(user.encrypted_password) }
+            .from({ m_cost: 1 << DEFAULT_M_COST, t_cost: DEFAULT_T_COST, p_cost: DEFAULT_P_COST})
+            .to({ m_cost: 1 << 4, t_cost: 3, p_cost: 2 })
+        )
+      end
+
+      it 'does not update work factors if an invalid password is given' do
+        user # build user
+
+        Devise.argon2_options.merge!({
+          m_cost: 4,
+          t_cost: 3,
+          p_cost: 2
+        })
+
+        expect{ user.valid_password?(INCORRECT_PASSWORD) }
+          .not_to change{ work_factors(user.encrypted_password) }
+      end
+
+      it 'updates work factors for a persisted user' do
+        user.save!
+
+        Devise.argon2_options.merge!({
+          m_cost: 4,
+          t_cost: 3,
+          p_cost: 2
+        })
+
+        expect{ user.valid_password?(CORRECT_PASSWORD) }.to(
+          change{ work_factors(user.encrypted_password) }
+            .from({ m_cost: 1 << DEFAULT_M_COST, t_cost: DEFAULT_T_COST, p_cost: DEFAULT_P_COST})
+            .to({ m_cost: 1 << 4, t_cost: 3, p_cost: 2 })
+        )
+      end
+    end
+
+    it 'ignores migrate_from_devise_argon2_v1 if password_salt is not present' do
+      Devise.argon2_options.merge!({ migrate_from_devise_argon2_v1: true })
+      expect{ user.valid_password?(CORRECT_PASSWORD) }.not_to(change(user, :encrypted_password))
+    end
   end
 
+  describe 'password_digest' do
+    context 'no pepper' do
+      it 'hashes the given password with Argon2' do
+        expect(
+          Argon2::Password.verify_password(CORRECT_PASSWORD, user.encrypted_password)
+        ).to be true
+      end
+    end
+
+    context 'Devise.pepper is set' do
+      before do
+        Devise.pepper = 'pepper'
+      end
+
+      it 'uses Devise.pepper as secret key for Argon2' do
+        expect(
+          Argon2::Password.verify_password(CORRECT_PASSWORD, user.encrypted_password, 'pepper')
+        ).to be true
+      end
+    end
+
+    context 'argon2_options[:secret] is set' do
+      before do
+        Devise.argon2_options[:secret] = 'pepper'
+      end
+
+      it 'uses argon2_options[:secret] as secret key for Argon2' do
+        expect(
+          Argon2::Password.verify_password(CORRECT_PASSWORD, user.encrypted_password, 'pepper')
+        ).to be true
+      end
+    end
+
+    context 'both Devise.pepper and argon2_options[:secret] are set' do
+      before do
+        Devise.pepper = 'devise pepper'
+        Devise.argon2_options[:secret] = 'argon2_options pepper'
+      end
+
+      it 'uses argon2_options[:secret] as secret key for Argon2' do
+        expect(
+          Argon2::Password.verify_password(
+            CORRECT_PASSWORD,
+            user.encrypted_password,
+            'argon2_options pepper'
+          )
+        ).to be true
+      end
+    end
+
+    it 'uses work factors given in argon2_options' do
+      Devise.argon2_options.merge!({
+        m_cost: 4,
+        t_cost: 3,
+        p_cost: 2
+      })
+
+      expect(work_factors(user.encrypted_password)).to eq(
+        { m_cost: 1 << 4, t_cost: 3, p_cost: 2 }
+      )
+    end
+  end
 end

data/spec/orm/active_record.rb

@@ -0,0 +1 @@
+ActiveRecord::Base.logger = Logger.new(nil)

data/spec/orm/mongoid.rb

@@ -0,0 +1,5 @@
+require 'mongoid/version'
+
+Mongoid.configure do |config|
+  config.load!('spec/rails_app/config/mongoid.yml')
+end

data/spec/rails_app/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require_relative "config/application"
+
+Rails.application.load_tasks

data/spec/rails_app/app/active_record/old_user.rb

@@ -0,0 +1,3 @@
+class OldUser < ActiveRecord::Base
+  devise :database_authenticatable, :argon2
+end

data/spec/rails_app/app/active_record/user.rb

@@ -0,0 +1,3 @@
+class User < ActiveRecord::Base
+  devise :database_authenticatable, :argon2
+end

data/spec/rails_app/app/controllers/application_controller.rb

@@ -0,0 +1,3 @@
+class ApplicationController < ActionController::Base
+
+end

data/spec/rails_app/app/mongoid/old_user.rb

@@ -0,0 +1,12 @@
+class OldUser
+  include Mongoid::Document
+  
+  devise :database_authenticatable, :argon2
+
+  field :email,              type: String, default: ""
+  field :encrypted_password, type: String, default: ""
+
+  field :password_salt, type: String, default: ""
+
+  include Mongoid::Timestamps
+end

data/spec/rails_app/app/mongoid/user.rb

@@ -0,0 +1,10 @@
+class User
+  include Mongoid::Document
+  
+  devise :database_authenticatable, :argon2
+
+  field :email,              type: String, default: ""
+  field :encrypted_password, type: String, default: ""
+
+  include Mongoid::Timestamps
+end

data/spec/rails_app/bin/bundle

@@ -0,0 +1,109 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#
+# This file was generated by Bundler.
+#
+# The application 'bundle' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require "rubygems"
+
+m = Module.new do
+  module_function
+
+  def invoked_as_script?
+    File.expand_path($0) == File.expand_path(__FILE__)
+  end
+
+  def env_var_version
+    ENV["BUNDLER_VERSION"]
+  end
+
+  def cli_arg_version
+    return unless invoked_as_script? # don't want to hijack other binstubs
+    return unless "update".start_with?(ARGV.first || " ") # must be running `bundle update`
+    bundler_version = nil
+    update_index = nil
+    ARGV.each_with_index do |a, i|
+      if update_index && update_index.succ == i && a =~ Gem::Version::ANCHORED_VERSION_PATTERN
+        bundler_version = a
+      end
+      next unless a =~ /\A--bundler(?:[= ](#{Gem::Version::VERSION_PATTERN}))?\z/
+      bundler_version = $1
+      update_index = i
+    end
+    bundler_version
+  end
+
+  def gemfile
+    gemfile = ENV["BUNDLE_GEMFILE"]
+    return gemfile if gemfile && !gemfile.empty?
+
+    File.expand_path("../Gemfile", __dir__)
+  end
+
+  def lockfile
+    lockfile =
+      case File.basename(gemfile)
+      when "gems.rb" then gemfile.sub(/\.rb$/, ".locked")
+      else "#{gemfile}.lock"
+      end
+    File.expand_path(lockfile)
+  end
+
+  def lockfile_version
+    return unless File.file?(lockfile)
+    lockfile_contents = File.read(lockfile)
+    return unless lockfile_contents =~ /\n\nBUNDLED WITH\n\s{2,}(#{Gem::Version::VERSION_PATTERN})\n/
+    Regexp.last_match(1)
+  end
+
+  def bundler_requirement
+    @bundler_requirement ||=
+      env_var_version ||
+      cli_arg_version ||
+      bundler_requirement_for(lockfile_version)
+  end
+
+  def bundler_requirement_for(version)
+    return "#{Gem::Requirement.default}.a" unless version
+
+    bundler_gem_version = Gem::Version.new(version)
+
+    bundler_gem_version.approximate_recommendation
+  end
+
+  def load_bundler!
+    ENV["BUNDLE_GEMFILE"] ||= gemfile
+
+    activate_bundler
+  end
+
+  def activate_bundler
+    gem_error = activation_error_handling do
+      gem "bundler", bundler_requirement
+    end
+    return if gem_error.nil?
+    require_error = activation_error_handling do
+      require "bundler/version"
+    end
+    return if require_error.nil? && Gem::Requirement.new(bundler_requirement).satisfied_by?(Gem::Version.new(Bundler::VERSION))
+    warn "Activating bundler (#{bundler_requirement}) failed:\n#{gem_error.message}\n\nTo install the version of bundler this project requires, run `gem install bundler -v '#{bundler_requirement}'`"
+    exit 42
+  end
+
+  def activation_error_handling
+    yield
+    nil
+  rescue StandardError, LoadError => e
+    e
+  end
+end
+
+m.load_bundler!
+
+if m.invoked_as_script?
+  load Gem.bin_path("bundler", "bundle")
+end

data/spec/rails_app/bin/rails

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+APP_PATH = File.expand_path("../config/application", __dir__)
+require_relative "../config/boot"
+require "rails/commands"

data/spec/rails_app/bin/rake

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require_relative "../config/boot"
+require "rake"
+Rake.application.run

data/spec/rails_app/bin/setup

@@ -0,0 +1,33 @@
+#!/usr/bin/env ruby
+require "fileutils"
+
+# path to your application root.
+APP_ROOT = File.expand_path("..", __dir__)
+
+def system!(*args)
+  system(*args) || abort("\n== Command #{args} failed ==")
+end
+
+FileUtils.chdir APP_ROOT do
+  # This script is a way to set up or update your development environment automatically.
+  # This script is idempotent, so that you can run it at any time and get an expectable outcome.
+  # Add necessary setup steps to this file.
+
+  puts "== Installing dependencies =="
+  system! "gem install bundler --conservative"
+  system("bundle check") || system!("bundle install")
+
+  # puts "\n== Copying sample files =="
+  # unless File.exist?("config/database.yml")
+  #   FileUtils.cp "config/database.yml.sample", "config/database.yml"
+  # end
+
+  puts "\n== Preparing database =="
+  system! "bin/rails db:prepare"
+
+  puts "\n== Removing old logs and tempfiles =="
+  system! "bin/rails log:clear tmp:clear"
+
+  puts "\n== Restarting application server =="
+  system! "bin/rails restart"
+end

data/spec/rails_app/config/application.rb

@@ -0,0 +1,24 @@
+ORM = (ENV['ORM'] || 'active_record')
+
+require "rails"
+
+Bundler.require :default, ORM
+
+require "action_controller/railtie"
+
+require "#{ORM}/railtie"
+require "action_mailer/railtie"
+require 'devise-argon2'
+
+# Require the gems listed in Gemfile, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(*Rails.groups)
+
+module DummyRailsApp
+  class Application < Rails::Application
+    config.load_defaults Rails.version.match(/^\d.\d/)[0]
+    config.eager_load = false
+    config.autoload_paths.reject!{ |p| p =~ /\/app\/(\w+)$/ && !%w(controllers helpers mailers views).include?($1) }
+    config.autoload_paths += ["#{config.root}/app/#{ORM}"]
+  end
+end

data/spec/rails_app/config/boot.rb

@@ -0,0 +1,5 @@
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../../Gemfile", __dir__)
+
+require "bundler/setup" # Set up gems listed in the Gemfile.
+
+$LOAD_PATH.unshift File.expand_path('../../../lib', __dir__)

data/spec/rails_app/config/database.yml

@@ -0,0 +1,14 @@
+# SQLite. Versions 3.8.0 and up are supported.
+#   gem install sqlite3
+#
+#   Ensure the SQLite 3 gem is defined in your Gemfile
+#   gem "sqlite3"
+#
+default: &default
+  adapter: sqlite3
+  pool: 5
+  timeout: 5000
+
+test:
+  <<: *default
+  database: db/test.sqlite3

data/spec/rails_app/config/environment.rb

@@ -0,0 +1,7 @@
+ENV['RAILS_ENV'] = 'test'
+
+# Load the Rails application.
+require_relative "application"
+
+# Initialize the Rails application.
+Rails.application.initialize!

data/spec/rails_app/config/initializers/devise.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+Devise.setup do |config|
+  require "devise/orm/#{ENV['ORM'] || 'active_record'}"
+  config.stretches = 1
+end

data/spec/rails_app/config/mongoid.yml

@@ -0,0 +1,10 @@
+test:
+  clients:
+    default:
+      database: dummy_rails_app_test
+      hosts:
+        - localhost:27017
+      options:
+        read:
+          mode: :primary
+        max_pool_size: 1

data/spec/rails_app/config.ru

@@ -0,0 +1,6 @@
+# This file is used by Rack-based servers to start the application.
+
+require_relative "config/environment"
+
+run Rails.application
+Rails.application.load_server

data/spec/rails_app/db/migrate/20230617201921_devise_create_users.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class DeviseCreateUsers < ActiveRecord::Migration[6.0]
+  def change
+    create_table :users do |t|
+      ## Database authenticatable
+      t.string :email,              null: false, default: ""
+      t.string :encrypted_password, null: false, default: ""
+
+      t.timestamps null: false
+    end
+
+    add_index :users, :email,                unique: true
+  end
+end

data/spec/rails_app/db/migrate/20231004084147_devise_create_old_users.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class DeviseCreateOldUsers < ActiveRecord::Migration[7.0]
+  def change
+    create_table :old_users do |t|
+      ## Database authenticatable
+      t.string :email,              null: false, default: ""
+      t.string :encrypted_password, null: false, default: ""
+
+      t.string :password_salt
+
+      t.timestamps null: false
+    end
+
+    add_index :old_users, :email,                unique: true
+  end
+end

data/spec/rails_app/db/schema.rb

@@ -0,0 +1,31 @@
+# This file is auto-generated from the current state of the database. Instead
+# of editing this file, please use the migrations feature of Active Record to
+# incrementally modify your database, and then regenerate this schema definition.
+#
+# This file is the source Rails uses to define your schema when running `bin/rails
+# db:schema:load`. When creating a new database, `bin/rails db:schema:load` tends to
+# be faster and is potentially less error prone than running all of your
+# migrations from scratch. Old migrations may fail to apply correctly if those
+# migrations use external dependencies or application code.
+#
+# It's strongly recommended that you check this file into your version control system.
+
+ActiveRecord::Schema.define(version: 2023_10_04_084147) do
+  create_table "old_users", force: :cascade do |t|
+    t.string "email", default: "", null: false
+    t.string "encrypted_password", default: "", null: false
+    t.string "password_salt"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["email"], name: "index_old_users_on_email", unique: true
+  end
+
+  create_table "users", force: :cascade do |t|
+    t.string "email", default: "", null: false
+    t.string "encrypted_password", default: "", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["email"], name: "index_users_on_email", unique: true
+  end
+
+end

data/spec/spec_helper.rb

@@ -1,9 +1,13 @@
 require 'rubygems'
 require 'simplecov'
 SimpleCov.start
-require 'pry'
 require 'bundler/setup'
-require 'devise-argon2'
+
+require 'rails_app/config/environment'
+ORM = (ENV['ORM'] || 'active_record')
+require "orm/#{ORM}"
+
+
 
 RSpec.configure do |config|
-end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-argon2
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Tamas Erdos
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-30 00:00:00.000000000 Z
+date: 2023-10-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -24,20 +24,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 2.1.0
-- !ruby/object:Gem::Dependency
-  name: devise-encryptable
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.2.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.2.0
 - !ruby/object:Gem::Dependency
   name: argon2
   requirement: !ruby/object:Gem::Requirement
@@ -52,30 +38,55 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
-description: A devise-encryptable password encryptor that uses Argon2
+description: Enables Devise to hash passwords with Argon2id
 email:
 - tamas at tamaserdos com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/test.yml"
 - ".gitignore"
 - ".rspec"
-- ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
 - devise-argon2.gemspec
 - lib/devise-argon2.rb
-- lib/devise/encryptable/encryptors/argon2.rb
-- lib/devise/encryptable/encryptors/argon2/version.rb
+- lib/devise-argon2/model.rb
+- lib/devise-argon2/version.rb
 - spec/devise-argon2_spec.rb
+- spec/orm/active_record.rb
+- spec/orm/mongoid.rb
+- spec/rails_app/Rakefile
+- spec/rails_app/app/active_record/old_user.rb
+- spec/rails_app/app/active_record/user.rb
+- spec/rails_app/app/controllers/application_controller.rb
+- spec/rails_app/app/mongoid/old_user.rb
+- spec/rails_app/app/mongoid/user.rb
+- spec/rails_app/bin/bundle
+- spec/rails_app/bin/rails
+- spec/rails_app/bin/rake
+- spec/rails_app/bin/setup
+- spec/rails_app/config.ru
+- spec/rails_app/config/application.rb
+- spec/rails_app/config/boot.rb
+- spec/rails_app/config/database.yml
+- spec/rails_app/config/environment.rb
+- spec/rails_app/config/initializers/devise.rb
+- spec/rails_app/config/mongoid.yml
+- spec/rails_app/db/migrate/20230617201921_devise_create_users.rb
+- spec/rails_app/db/migrate/20231004084147_devise_create_old_users.rb
+- spec/rails_app/db/schema.rb
 - spec/spec_helper.rb
 homepage: https://github.com/erdostom/devise-argon2
-licenses: []
+licenses:
+- MIT
 metadata: {}
-post_install_message: 
+post_install_message: Version 2 of devise-argon2 introduces breaking changes, please
+  see README.md for details.
 rdoc_options: []
 require_paths:
 - lib
@@ -90,11 +101,32 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.8
+rubygems_version: 3.3.3
 signing_key: 
 specification_version: 4
-summary: A devise-encryptable password encryptor that uses Argon2
+summary: Enables Devise to hash passwords with Argon2id
 test_files:
 - spec/devise-argon2_spec.rb
+- spec/orm/active_record.rb
+- spec/orm/mongoid.rb
+- spec/rails_app/Rakefile
+- spec/rails_app/app/active_record/old_user.rb
+- spec/rails_app/app/active_record/user.rb
+- spec/rails_app/app/controllers/application_controller.rb
+- spec/rails_app/app/mongoid/old_user.rb
+- spec/rails_app/app/mongoid/user.rb
+- spec/rails_app/bin/bundle
+- spec/rails_app/bin/rails
+- spec/rails_app/bin/rake
+- spec/rails_app/bin/setup
+- spec/rails_app/config.ru
+- spec/rails_app/config/application.rb
+- spec/rails_app/config/boot.rb
+- spec/rails_app/config/database.yml
+- spec/rails_app/config/environment.rb
+- spec/rails_app/config/initializers/devise.rb
+- spec/rails_app/config/mongoid.yml
+- spec/rails_app/db/migrate/20230617201921_devise_create_users.rb
+- spec/rails_app/db/migrate/20231004084147_devise_create_old_users.rb
+- spec/rails_app/db/schema.rb
 - spec/spec_helper.rb

data/.travis.yml

@@ -1,13 +0,0 @@
-script:
-  - bundle
-  - bundle exec rspec
-rvm:
-  - 1.9.3
-  - 2.2.3
-  - ruby-head
-  - rbx-18mode
-  - rbx-19mode
-notifications:
-  email:
-    on_success: always
-    on_failure: always

data/lib/devise/encryptable/encryptors/argon2/version.rb

@@ -1,7 +0,0 @@
-module Devise
-  module Encryptable
-    module Encryptors
-      ARGON2_VERSION = '1.1.0'
-    end
-  end
-end

data/lib/devise/encryptable/encryptors/argon2.rb

@@ -1,17 +0,0 @@
-require 'argon2'
-
-module Devise
-  module Encryptable
-    module Encryptors
-      class Argon2 < Base
-        def self.digest(password, stretches, salt, pepper)
-          ::Argon2::Password.create("#{password}#{salt}#{pepper}")
-        end
-
-        def self.compare(encrypted_password, password, stretches, salt, pepper)
-          ::Argon2::Password.verify_password("#{password}#{salt}#{pepper}", encrypted_password)
-        end
-      end
-    end
-  end
-end