yauth 0.1.0 → 0.2.0

data/README.rdoc

@@ -88,7 +88,7 @@ Finally, to remove 'foo' user:
 
 == Security Considerations
 
-Users are stored in the 'config/users.yml' file, with the password stored as SHA256 hash. 
+Users are stored in the 'config/users.yml' file, with the password stored using BCrypt (https://github.com/codahale/bcrypt-ruby). 
 In this way it's safe to add the 'config/users.yml' to the version control system.
 
 You can see an example of the 'config/users.yml' file:
@@ -96,13 +96,26 @@ You can see an example of the 'config/users.yml' file:
   --- 
   - user: 
       username: admin
-      password: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
+      password: !str:BCrypt::Password 
+        str: $2a$10$UMR/fB5Jn5oRNe.OV9VicOLrg9BnPyN6Vc3S/noI5LWzfMKK2Zj0q
+        "@checksum": Lrg9BnPyN6Vc3S/noI5LWzfMKK2Zj0q
+        "@cost": 10
+        "@salt": $2a$10$UMR/fB5Jn5oRNe.OV9VicO
+        "@version": !str:BCrypt::Password 2a
 
+== Upgrading from version 0.1 to 0.2
+
+YOU MUST RECREATE your users.yml file when migrating from 0.1 to 0.2, as I changed the encryption function to BCrypt.
+Unfortunately it's pretty cheap to crack a password encrypted inside an hash, as stated in this article: http://codahale.com/how-to-safely-store-a-password. And one of the main goals of this project it's to store passwords securely.
+Beware that it might be slower to compute, but it is much safer with BCrypt.
+
+This has been done thanks to Gabriele Renzi, that has pointed me in the right direction.
 
 == TODO
 
 Future versions will include:
 * drop-in api key solution, i.e. user might have a key for API prototypation;
+* hash function independence;
 * authentication scopes, as defined in warden.
 
 == Contributing to yauth

data/Rakefile

@@ -11,6 +11,7 @@ Jeweler::Tasks.new do |gem|
   gem.description = %Q{Yauth is a extremely simple authentication solution for prototipes, developed as a warden strategy. It uses a yaml file to store usernames and hashed password. It provides a better-than-nothing security.}
   gem.email = "matteo@matteocollina.com"
   gem.authors = ["Matteo Collina"]
+  gem.add_runtime_dependency 'bcrypt-ruby', '>= 2.1.4'
   gem.add_runtime_dependency 'warden', '~> 1.0'
   gem.add_runtime_dependency 'thor', '~> 0.14.0'
   gem.add_development_dependency 'test_notifier', '~> 0.3.6'
@@ -29,7 +30,7 @@ RSpec::Core::RakeTask.new(:rcov) do |spec|
   spec.pattern = 'spec/**/*_spec.rb'
   spec.rcov = true
   spec.rcov_opts = ["--text-summary", "--exclude","lib\/rspec,bin\/rspec,lib\/rcov," + 
-             "spec,diff-lcs,thor,warden,rack"]
+             "spec,diff-lcs,thor,warden,rack,bcrypt"]
 end
 
 task :default => :spec

data/VERSION

@@ -1 +1 @@
-0.1.0
+0.2.0

data/examples/sinatra/config/users.yml

@@ -1,4 +1,9 @@
 --- 
 - user: 
     username: admin
-    password: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
+    password: !str:BCrypt::Password 
+      str: $2a$10$UMR/fB5Jn5oRNe.OV9VicOLrg9BnPyN6Vc3S/noI5LWzfMKK2Zj0q
+      "@checksum": Lrg9BnPyN6Vc3S/noI5LWzfMKK2Zj0q
+      "@cost": 10
+      "@salt": $2a$10$UMR/fB5Jn5oRNe.OV9VicO
+      "@version": !str:BCrypt::Password 2a

data/lib/yauth.rb

@@ -1,7 +1,7 @@
 require 'yaml'
-require 'digest/sha1'
 require 'thor'
 require 'warden'
+require 'bcrypt'
 
 module Yauth
   class << self

data/lib/yauth/user.rb

@@ -1,5 +1,8 @@
 
 class Yauth::User
+
+  include BCrypt
+
   attr_accessor :username, :password
   attr_reader :plain_password
 
@@ -12,7 +15,7 @@ class Yauth::User
   end
 
   def plain_password=(plain_password)
-    self.password = Digest::SHA256.hexdigest(plain_password)
+    self.password = Password.create(plain_password)
     @plain_password = plain_password
   end
   
@@ -26,6 +29,6 @@ class Yauth::User
 
   def authenticate(password)
     return false if password.to_s == "" 
-    Digest::SHA256.hexdigest(password) == self.password
+    self.password == password
   end
 end

data/spec/yauth/user_spec.rb

@@ -12,9 +12,10 @@ describe User do
 
   it "should set the real password based on the plain password" do
     password = "hello world"
-    hash = Digest::SHA256.hexdigest(password)
+    cyphertext = mock "CypherText"
+    BCrypt::Password.should_receive(:create).and_return(cyphertext)
     subject.plain_password = password
-    subject.password.should == hash
+    subject.password.should == cyphertext
   end
 
   it "should memorize the plain password until the end of the session" do

data/yauth.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{yauth}
-  s.version = "0.1.0"
+  s.version = "0.2.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Matteo Collina"]
-  s.date = %q{2011-03-01}
+  s.date = %q{2011-03-02}
   s.default_executable = %q{yauth}
   s.description = %q{Yauth is a extremely simple authentication solution for prototipes, developed as a warden strategy. It uses a yaml file to store usernames and hashed password. It provides a better-than-nothing security.}
   s.email = %q{matteo@matteocollina.com}
@@ -48,7 +48,7 @@ Gem::Specification.new do |s|
   s.homepage = %q{http://github.com/mcollina/yauth}
   s.licenses = ["MIT"]
   s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.5.2}
+  s.rubygems_version = %q{1.5.3}
   s.summary = %q{A drop-in authentication solution for prototypes.}
   s.test_files = [
     "examples/sinatra/app.rb",
@@ -65,12 +65,14 @@ Gem::Specification.new do |s|
     s.specification_version = 3
 
     if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<bcrypt-ruby>, [">= 2.1.4"])
       s.add_runtime_dependency(%q<warden>, ["~> 1.0"])
       s.add_runtime_dependency(%q<thor>, ["~> 0.14.0"])
       s.add_development_dependency(%q<test_notifier>, ["~> 0.3.6"])
       s.add_development_dependency(%q<autotest>, ["~> 4.4"])
       s.add_development_dependency(%q<rcov>, [">= 0"])
     else
+      s.add_dependency(%q<bcrypt-ruby>, [">= 2.1.4"])
       s.add_dependency(%q<warden>, ["~> 1.0"])
       s.add_dependency(%q<thor>, ["~> 0.14.0"])
       s.add_dependency(%q<test_notifier>, ["~> 0.3.6"])
@@ -78,6 +80,7 @@ Gem::Specification.new do |s|
       s.add_dependency(%q<rcov>, [">= 0"])
     end
   else
+    s.add_dependency(%q<bcrypt-ruby>, [">= 2.1.4"])
     s.add_dependency(%q<warden>, ["~> 1.0"])
     s.add_dependency(%q<thor>, ["~> 0.14.0"])
     s.add_dependency(%q<test_notifier>, ["~> 0.3.6"])

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: yauth
 version: !ruby/object:Gem::Version 
-  hash: 27
+  hash: 23
   prerelease: 
   segments: 
   - 0
-  - 1
+  - 2
   - 0
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors: 
 - Matteo Collina
@@ -15,13 +15,29 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-03-01 00:00:00 +01:00
+date: 2011-03-02 00:00:00 +01:00
 default_executable: yauth
 dependencies: 
 - !ruby/object:Gem::Dependency 
-  name: warden
+  name: bcrypt-ruby
   prerelease: false
   requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 2
+        - 1
+        - 4
+        version: 2.1.4
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: warden
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -32,11 +48,11 @@ dependencies:
         - 0
         version: "1.0"
   type: :runtime
-  version_requirements: *id001
+  version_requirements: *id002
 - !ruby/object:Gem::Dependency 
   name: thor
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
+  requirement: &id003 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -48,11 +64,11 @@ dependencies:
         - 0
         version: 0.14.0
   type: :runtime
-  version_requirements: *id002
+  version_requirements: *id003
 - !ruby/object:Gem::Dependency 
   name: test_notifier
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
+  requirement: &id004 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -64,11 +80,11 @@ dependencies:
         - 6
         version: 0.3.6
   type: :development
-  version_requirements: *id003
+  version_requirements: *id004
 - !ruby/object:Gem::Dependency 
   name: autotest
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
+  requirement: &id005 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -79,11 +95,11 @@ dependencies:
         - 4
         version: "4.4"
   type: :development
-  version_requirements: *id004
+  version_requirements: *id005
 - !ruby/object:Gem::Dependency 
   name: rcov
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
+  requirement: &id006 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ">="
@@ -93,7 +109,7 @@ dependencies:
         - 0
         version: "0"
   type: :development
-  version_requirements: *id005
+  version_requirements: *id006
 description: Yauth is a extremely simple authentication solution for prototipes, developed as a warden strategy. It uses a yaml file to store usernames and hashed password. It provides a better-than-nothing security.
 email: matteo@matteocollina.com
 executables: 
@@ -159,7 +175,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.5.2
+rubygems_version: 1.5.3
 signing_key: 
 specification_version: 3
 summary: A drop-in authentication solution for prototypes.