rodauth 0.9.1 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c5d5ec10b4cd33cbc64f23f42bfb75e096982e09
-  data.tar.gz: b8793e5c0881340a056c8188cd80f6a6c94c5191
+  metadata.gz: 4562cb5ac9001ed624c4a17b266e248bda416bfa
+  data.tar.gz: 83b071943791302efef9980bef8d04629ea26d8a
 SHA512:
-  metadata.gz: f87e70dba05f2bf05c1879c0b1343740998335dddb544b3ce81a33e3c6478549d4e902e22e3c3a4867f165c2e623435ab7922bf572b88cddaf4a6ea21dc1ce92
-  data.tar.gz: 3f3ff270fb76ce23e70da11b87365c18522571e79b3c546262a4da960dbac3c5dafaa881a3c103683c2336dc683b93f19bd788d21268de88c00d1f3d442b8e2e
+  metadata.gz: 46012c509f3e3fe2df2c27c56d7f0ecb6f950c6f7227faa056f8578f940908d20cd2d7757c5a6c63a387f7da066216eba6ab7e1553fd70d1a92882a8d2a2ced4
+  data.tar.gz: 88d313c1a7739bd54ac588e25046e90eed284502ce119c69862e20cc49028bcee2999e8c0ce93874bec4fefcdb2d92bc1de4183359b395cd9e7a8df8af272bde

data/CHANGELOG

@@ -1,3 +1,7 @@
+=== 0.10.0 (2016-02-17)
+
+* Retrieve salt from database and compute hash client side, instead of computing hash on server (jeremyevans)
+
 === 0.9.1 (2015-08-13)
 
 * Don't use csrf plugin automatically (jeremyevans)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2015 Jeremy Evans
+Copyright (c) 2015-2016 Jeremy Evans
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/README.rdoc

@@ -34,20 +34,21 @@ Bugs :: http://github.com/jeremyevans/rodauth/issues
 
 Passwords are hashed using bcrypt, and the password hashes are
 kept in a separate table from the accounts table, with a foreign key
-referencing the accounts table.  A PostgreSQL function is added to
-check the password for a given application account matches.
+referencing the accounts table.  Two PostgreSQL functions are added,
+one to retrieve the salt for a password, and the other to check
+if a given password hash matches the password hash for the user.
 
 A separate database account owns the table containing the password
 hashes, which the application database account cannot access.
 The application database account has the ability to execute the
-function to check the password, but not the ability to access the
-password hashes directly, making it much more difficult for an
-attacker to access the password hashes even if they are able to
-exploit an SQL injection or remote code execution vulnerability
-in the application.  Even if an attacker was able to exploit a
-vulnerability in the application, they would only be to check if
-a specific password matches for a given user, which is the same
-access an attacker would have anyway if they just tried to login.
+functions to get the salt and check the password hash, but not the
+ability to access the password hashes directly, making it much more
+difficult for an attacker to access the password hashes even if they
+are able to exploit an SQL injection or remote code execution
+vulnerability in the application.  Even if an attacker was able to
+exploit a vulnerability in the application, the only additional
+information they would have is the salt for the password, which
+is much less sensitive than the entire password hash.
 
 While the application database account is not be able to read
 password hashes, it is still be able to insert password hashes,
@@ -56,15 +57,15 @@ additional security is not that painful.
 
 The reason for extra security in regards to password hashes stems from
 the fact that people tend to reuse passwords, so a compromise of one
-site can result in account access on other sites, making password hash
-storage of critical importance even if the other data stored is not
-that important.
+database containing password hashes can result in account access on
+other sites, making password hash storage of critical importance even
+if the other data stored is not that important.
 
 If you are storing other important information in your database, you
 should consider using a similar approach in other areas (or all areas)
 of your application.
 
-Rodauth can still be used if you are using a more convential approach
+Rodauth can still be used if you are using a more conventional approach
 of storing the password hash in a column in the same table, with
 a single configuration setting.
 
@@ -104,16 +105,14 @@ storage to the same level as other common authentication solutions.
 === Load extensions
 
 If you want to use the login features for Rodauth, you need to load the
-pgcrypto extension with the database superuser account, and load the
 citext extension if you want to support case insensitive logins.
 
 Example:
 
-  echo "CREATE EXTENSION pgcrypto" | psql -U postgres $database_name
   echo "CREATE EXTENSION citext" | psql -U postgres $database_name
 
-Note that on Heroku, both of these extensions can be loaded using a
-standard database account.
+Note that on Heroku, this extension can be loaded using a standard database
+account.
 
 === Create database accounts
 
@@ -216,13 +215,27 @@ Second migration, run using the secondary database account:
         String :password_hash, :null=>false
       end
 
-      # Function used to check if a password is valid.  Takes the related account id
-      # and unencrypted password, checks if password matches password hash.
+      # Function that returns salt for current password.
       run <<END
-  CREATE OR REPLACE FUNCTION account_valid_password(account_id int8, password text) RETURNS boolean AS $$
+  CREATE OR REPLACE FUNCTION rodauth_get_salt(account_id int8) RETURNS text AS $$
+  DECLARE salt text;
+  BEGIN
+  SELECT substr(password_hash, 0, 30) INTO salt 
+  FROM account_password_hashes
+  WHERE account_id = id;
+  RETURN salt;
+  END;
+  $$ LANGUAGE plpgsql
+  SECURITY DEFINER
+  SET search_path = public, pg_temp;
+  END
+
+      # Function that checks if password hash is valid for given user.
+      run <<END
+  CREATE OR REPLACE FUNCTION rodauth_valid_password_hash(account_id int8, hash text) RETURNS boolean AS $$
   DECLARE valid boolean;
   BEGIN
-  SELECT password_hash = crypt($2, password_hash) INTO valid 
+  SELECT password_hash = hash INTO valid 
   FROM account_password_hashes
   WHERE account_id = id;
   RETURN valid;
@@ -235,14 +248,17 @@ Second migration, run using the secondary database account:
       # Restrict access to the password hash table
       app_user = get{Sequel.lit('current_user')}.sub(/_password\z/, '')
       run "REVOKE ALL ON account_password_hashes FROM public"
-      run "REVOKE ALL ON FUNCTION account_valid_password(int8, text) FROM public"
+      run "REVOKE ALL ON FUNCTION rodauth_get_salt(int8) FROM public"
+      run "REVOKE ALL ON FUNCTION rodauth_valid_password_hash(int8, text) FROM public"
       run "GRANT INSERT, UPDATE, DELETE ON account_password_hashes TO #{app_user}"
       run "GRANT SELECT(id) ON account_password_hashes TO #{app_user}"
-      run "GRANT EXECUTE ON FUNCTION account_valid_password(int8, text) TO #{app_user}"
+      run "GRANT EXECUTE ON FUNCTION rodauth_get_salt(int8) TO #{app_user}"
+      run "GRANT EXECUTE ON FUNCTION rodauth_valid_password_hash(int8, text) TO #{app_user}"
     end
 
     down do
-      run "DROP FUNCTION account_valid_password(int8, text)"
+      run "DROP FUNCTION rodauth_get_salt(int8)"
+      run "DROP FUNCTION rodauth_valid_password_hash(int8, text)"
       drop_table(:account_password_hashes)
     end
   end
@@ -344,8 +360,7 @@ route is handled:
   end
 
 By allowing every configuration method to take a block, Rodauth
-should be flexible enough to integrate into most legacy
-authentication systems.
+should be flexible enough to integrate into most legacy systems.
 
 === Feature Documentation
 
@@ -466,6 +481,51 @@ use the following basic structure
     end
   end
 
+== Upgrading from 0.9.x
+
+To upgrade from 0.9.x to the current version, if you were using
+the account_valid_password database function, you need to drop
+it and add the two database functions listed in the migration
+section above.  You can add the following code to a migration to
+accomplish that:
+
+  run "DROP FUNCTION account_valid_password(int8, text);"
+  
+  run <<END
+  CREATE OR REPLACE FUNCTION rodauth_get_salt(account_id int8) RETURNS text AS $$
+  DECLARE salt text;
+  BEGIN
+  SELECT substr(password_hash, 0, 30) INTO salt 
+  FROM account_password_hashes
+  WHERE account_id = id;
+  RETURN salt;
+  END;
+  $$ LANGUAGE plpgsql
+  SECURITY DEFINER
+  SET search_path = public, pg_temp;
+  END
+
+  run <<END
+  CREATE OR REPLACE FUNCTION rodauth_valid_password_hash(account_id int8, hash text) RETURNS boolean AS $$
+  DECLARE valid boolean;
+  BEGIN
+  SELECT password_hash = hash INTO valid 
+  FROM account_password_hashes
+  WHERE account_id = id;
+  RETURN valid;
+  END;
+  $$ LANGUAGE plpgsql
+  SECURITY DEFINER
+  SET search_path = public, pg_temp;
+  END
+
+  # Restrict access to the password hash table
+  app_user = get{Sequel.lit('current_user')}.sub(/_password\z/, '')
+  run "REVOKE ALL ON FUNCTION rodauth_get_salt(int8) FROM public"
+  run "REVOKE ALL ON FUNCTION rodauth_valid_password_hash(int8, text) FROM public"
+  run "GRANT EXECUTE ON FUNCTION rodauth_get_salt(int8) TO #{app_user}"
+  run "GRANT EXECUTE ON FUNCTION rodauth_valid_password_hash(int8, text) TO #{app_user}"
+
 == Possible Future Directions
 
 * OmniAuth support.  This is not something I plan to work on myself,

data/Rakefile

@@ -71,7 +71,6 @@ task :db_setup do
   sh 'echo "CREATE USER rodauth_test PASSWORD \'rodauth_test\'" | psql -U postgres'
   sh 'echo "CREATE USER rodauth_test_password PASSWORD \'rodauth_test\'" | psql -U postgres'
   sh 'createdb -U postgres -O rodauth_test rodauth_test'
-  sh 'echo "CREATE EXTENSION pgcrypto" | psql -U postgres rodauth_test'
   sh 'echo "CREATE EXTENSION citext" | psql -U postgres rodauth_test'
   require 'sequel'
   Sequel.extension :migration

data/lib/roda/plugins/rodauth/login.rb

@@ -64,11 +64,15 @@ class Roda
         end
 
         def password_match?(password)
+          require 'bcrypt'
           if account_password_hash_column
-            require 'bcrypt'
             BCrypt::Password.new(account.send(account_password_hash_column)) == password
           else
-            db.get{|db| db.account_valid_password(account.send(account_id), password)}
+            id = account.send(account_id)
+            if salt = db.get{rodauth_get_salt(id)}
+              hash = BCrypt::Engine.hash_secret(password, salt)
+              db.get{rodauth_valid_password_hash(id, hash)}
+            end
           end
         end
       end

data/spec/migrate_password/001_tables.rb

@@ -6,13 +6,27 @@ Sequel.migration do
       String :password_hash, :null=>false
     end
 
-    # Function used to check if a password is valid.  Takes the related account id
-    # and unencrypted password, checks if password matches password hash.
+    # Function that returns salt for current password.
     run <<END
-CREATE OR REPLACE FUNCTION account_valid_password(account_id int8, password text) RETURNS boolean AS $$
+CREATE OR REPLACE FUNCTION rodauth_get_salt(account_id int8) RETURNS text AS $$
+DECLARE salt text;
+BEGIN
+SELECT substr(password_hash, 0, 30) INTO salt 
+FROM account_password_hashes
+WHERE account_id = id;
+RETURN salt;
+END;
+$$ LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public, pg_temp;
+END
+
+    # Function that checks if password hash is valid for given user.
+    run <<END
+CREATE OR REPLACE FUNCTION rodauth_valid_password_hash(account_id int8, hash text) RETURNS boolean AS $$
 DECLARE valid boolean;
 BEGIN
-SELECT password_hash = crypt($2, password_hash) INTO valid 
+SELECT password_hash = hash INTO valid 
 FROM account_password_hashes
 WHERE account_id = id;
 RETURN valid;
@@ -25,14 +39,17 @@ END
     # Restrict access to the password hash table
     app_user = get{Sequel.lit('current_user')}.sub(/_password\z/, '')
     run "REVOKE ALL ON account_password_hashes FROM public"
-    run "REVOKE ALL ON FUNCTION account_valid_password(int8, text) FROM public"
+    run "REVOKE ALL ON FUNCTION rodauth_get_salt(int8) FROM public"
+    run "REVOKE ALL ON FUNCTION rodauth_valid_password_hash(int8, text) FROM public"
     run "GRANT INSERT, UPDATE, DELETE ON account_password_hashes TO #{app_user}"
     run "GRANT SELECT(id) ON account_password_hashes TO #{app_user}"
-    run "GRANT EXECUTE ON FUNCTION account_valid_password(int8, text) TO #{app_user}"
+    run "GRANT EXECUTE ON FUNCTION rodauth_get_salt(int8) TO #{app_user}"
+    run "GRANT EXECUTE ON FUNCTION rodauth_valid_password_hash(int8, text) TO #{app_user}"
   end
 
   down do
-    run "DROP FUNCTION account_valid_password(int8, text)"
+    run "DROP FUNCTION rodauth_get_salt(int8)"
+    run "DROP FUNCTION rodauth_valid_password_hash(int8, text)"
     drop_table(:account_password_hashes)
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 0.9.1
+  version: 0.10.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-08-13 00:00:00.000000000 Z
+date: 2016-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -220,9 +220,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: Authentication Framework for Roda/Sequel/PostgreSQL
 test_files: []
-has_rdoc: true