seraph 0.0.3 → 0.0.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +31 -20
  3. data/lib/seraph/configuration.rb +4 -0
  4. data/lib/seraph/version.rb +1 -1
  5. data/spec/spec_helper.rb +4 -0
  6. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: c38bec486a10c2137abb51d2960a95863594eb71
4
- data.tar.gz: ea8f366ee742c81b9bf61f0b90a2da7e0b60389a
3
+ metadata.gz: 9062ea4972e3a44b97a05b4935c8f5936b05fe24
4
+ data.tar.gz: a0117bd6c8d5b547b1ff0f2dcb018fa6e06946c4
5
5
  SHA512:
6
- metadata.gz: 1e5d554f25769f57f42cc5d9e916ae00cb2f85cc15b229884f25e3a57d41f7c9c485efdb24682c8671ff78abb14b20367f8bdac9686ca1adc6a5db34d90fa709
7
- data.tar.gz: 82c075c768a468fe62b7714e13ec9ca5714884aee418b064fb8676a4f766eec5e0df5fd018a5946ea108c67e6d90862aa701800d5d2786b465a2a2e57f1e01c3
6
+ metadata.gz: 0e5b596ae436664b9b9f38cc1d51e86e2be6e1fefdb63e51268daf8bc46fc7d13f9c1667930fd4dfc072d086045fec12cadc63a4f315b9a524c90f0015e9fde1
7
+ data.tar.gz: 2b619e40492e7663987ba48d6684b5382ff38c4f02961a57d30bf525359880e1197fcf9a35401e11ced508ff0e25f55420290fc724d680cae51282b09377d453
data/README.md CHANGED
@@ -11,50 +11,61 @@ Enter in your terminal
11
11
  gem install seraph
12
12
  ```
13
13
  or put
14
- ```
14
+ ``` ruby
15
15
  gem 'seraph'
16
16
  ```
17
17
  inside your `Gemfile`
18
18
 
19
- ### What do you get?
20
-
21
- seraph offers two basic functionalities:
19
+ ## Configuration
22
20
 
23
- * encrypting the password (registration)
24
- * checking if provided password matches the encrypted password (authentication)
21
+ You can set the pepper that will be used when encrypting the password.
25
22
 
26
- #### Encrypting the password
27
-
28
- seraph uses [BCrypt](https://github.com/codahale/bcrypt-ruby) to hash the password. Additionally a pepper can be provided:
23
+ Pepper strenghtens the security of your encrypted passwords, because even if you have an SQL Injection vulnerability in your code, the attacker won't be able to get the passwords, because the pepper will be added to each password before encryption. This is ofcourse true only if the attacker doesn't have access to your application code!
29
24
 
30
25
  To get a random, high-entropy pepper, you can use `/dev/urandom`:
31
26
 
32
27
  ```
33
- xxd -l 32 -p /dev/urandom
34
- 435a501746f35834862e49fd6654680803bc37a2a83bc67318342603b7176aaa
28
+ xxd -l 32 -p /dev/urandom
35
29
  ```
36
30
 
37
- Save this value as a constant in you application code, so even if you have an SQL Injection vulnerability in your code, the attacker won't be able to get the passwords, because the pepper will be added to each password without encryption. This is of course true only if the attacker doesn't have access to your application code!
31
+ Then use in the configuration block
32
+
33
+ ``` ruby
34
+ Seraph.configure do |config|
35
+ config.pepper = 'GENERATED-PEPPER'
36
+ end
37
+ ```
38
+
39
+ But remember to save the pepper, because if you lose it, none of your users will be able to login!
40
+
41
+ ## What do you get?
42
+
43
+ Seraph offers two basic functionalities:
44
+
45
+ * encrypting the password (registration)
46
+ * checking if provided password matches the encrypted password (authentication)
47
+
48
+ ### Encrypting the password
49
+
50
+ Seraph uses [BCrypt](https://github.com/codahale/bcrypt-ruby) to hash the password. If you configure Seraph and set the pepper, it will be used in the encryption process.
38
51
 
39
- So with that out of the way, to encrypt a password, run the following code:
52
+ To encrypt a password simply run:
40
53
 
41
54
  ``` ruby
42
- PEPPER = '435a501746f35834862e49fd6654680803bc37a2a83bc67318342603b7176aaa'
43
- seraph::PasswordEncryptor.call('foobar12')
44
- # => "$2a$10$MvzzJOcgCbxmVAUqwq7Zye.3Hn9L0ahB4M8riQTK6cPUfJCR6x3ZW"
55
+ Seraph::PasswordEncryptor.call('foobar12')
56
+ # => "$2a$10$f1PWs.Qi3mtcL/fMaypEJu9HI0SchWLhsMd9kRhHEjP4v/3oqnB5G"
45
57
  ```
46
58
 
47
- As a result you get the encrypted password, which you can persist in the database alongside other user data (e-mail, login, etc.)
59
+ As a result you get the encrypted password, which you can be persisted in the database, alongside other user data (e-mail, login, etc.)
48
60
 
49
- #### Comparing a provided password with the encrypted one
61
+ ### WIP - Comparing a provided password with the encrypted one
50
62
 
51
63
  Comparison is done using a constant-time secure comparison method, from the gem (fast_secure_compare)[https://github.com/daxtens/fast_secure_compare]
52
64
 
53
65
  To do it simply run:
54
66
 
55
67
  ``` ruby
56
- PEPPER = '435a501746f35834862e49fd6654680803bc37a2a83bc67318342603b7176aaa'
57
- seraph::Authenticator.call(encrypted_password, plaintext_password)
68
+ Seraph::Authenticator.call(encrypted_password, plaintext_password)
58
69
  # => true or false
59
70
  ```
60
71
 
data/lib/seraph/configuration.rb CHANGED
@@ -5,5 +5,9 @@ module Seraph
5
5
  include ::Singleton
6
6
 
7
7
  attr_accessor :pepper
8
+
9
+ def reset
10
+ self.pepper = nil
11
+ end
8
12
  end
9
13
  end
data/lib/seraph/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Seraph
2
- VERSION = '0.0.3'.freeze
2
+ VERSION = '0.0.4'.freeze
3
3
  end
data/spec/spec_helper.rb CHANGED
@@ -10,6 +10,10 @@ RSpec.configure do |config|
10
10
  mocks.verify_partial_doubles = true
11
11
  end
12
12
 
13
+ config.before(:each) do
14
+ Seraph.configuration.reset
15
+ end
16
+
13
17
  config.order = :random
14
18
  Kernel.srand config.seed
15
19
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: seraph
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.3
4
+ version: 0.0.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Szymon Szeliga