yauth 0.1.0 → 0.2.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -88,7 +88,7 @@ Finally, to remove 'foo' user:
88
88
 
89
89
  == Security Considerations
90
90
 
91
- Users are stored in the 'config/users.yml' file, with the password stored as SHA256 hash.
91
+ Users are stored in the 'config/users.yml' file, with the password stored using BCrypt (https://github.com/codahale/bcrypt-ruby).
92
92
  In this way it's safe to add the 'config/users.yml' to the version control system.
93
93
 
94
94
  You can see an example of the 'config/users.yml' file:
@@ -96,13 +96,26 @@ You can see an example of the 'config/users.yml' file:
96
96
  ---
97
97
  - user:
98
98
  username: admin
99
- password: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
99
+ password: !str:BCrypt::Password
100
+ str: $2a$10$UMR/fB5Jn5oRNe.OV9VicOLrg9BnPyN6Vc3S/noI5LWzfMKK2Zj0q
101
+ "@checksum": Lrg9BnPyN6Vc3S/noI5LWzfMKK2Zj0q
102
+ "@cost": 10
103
+ "@salt": $2a$10$UMR/fB5Jn5oRNe.OV9VicO
104
+ "@version": !str:BCrypt::Password 2a
100
105
 
106
+ == Upgrading from version 0.1 to 0.2
107
+
108
+ YOU MUST RECREATE your users.yml file when migrating from 0.1 to 0.2, as I changed the encryption function to BCrypt.
109
+ Unfortunately it's pretty cheap to crack a password encrypted inside an hash, as stated in this article: http://codahale.com/how-to-safely-store-a-password. And one of the main goals of this project it's to store passwords securely.
110
+ Beware that it might be slower to compute, but it is much safer with BCrypt.
111
+
112
+ This has been done thanks to Gabriele Renzi, that has pointed me in the right direction.
101
113
 
102
114
  == TODO
103
115
 
104
116
  Future versions will include:
105
117
  * drop-in api key solution, i.e. user might have a key for API prototypation;
118
+ * hash function independence;
106
119
  * authentication scopes, as defined in warden.
107
120
 
108
121
  == Contributing to yauth
data/Rakefile CHANGED
@@ -11,6 +11,7 @@ Jeweler::Tasks.new do |gem|
11
11
  gem.description = %Q{Yauth is a extremely simple authentication solution for prototipes, developed as a warden strategy. It uses a yaml file to store usernames and hashed password. It provides a better-than-nothing security.}
12
12
  gem.email = "matteo@matteocollina.com"
13
13
  gem.authors = ["Matteo Collina"]
14
+ gem.add_runtime_dependency 'bcrypt-ruby', '>= 2.1.4'
14
15
  gem.add_runtime_dependency 'warden', '~> 1.0'
15
16
  gem.add_runtime_dependency 'thor', '~> 0.14.0'
16
17
  gem.add_development_dependency 'test_notifier', '~> 0.3.6'
@@ -29,7 +30,7 @@ RSpec::Core::RakeTask.new(:rcov) do |spec|
29
30
  spec.pattern = 'spec/**/*_spec.rb'
30
31
  spec.rcov = true
31
32
  spec.rcov_opts = ["--text-summary", "--exclude","lib\/rspec,bin\/rspec,lib\/rcov," +
32
- "spec,diff-lcs,thor,warden,rack"]
33
+ "spec,diff-lcs,thor,warden,rack,bcrypt"]
33
34
  end
34
35
 
35
36
  task :default => :spec
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.1.0
1
+ 0.2.0
@@ -1,4 +1,9 @@
1
1
  ---
2
2
  - user:
3
3
  username: admin
4
- password: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
4
+ password: !str:BCrypt::Password
5
+ str: $2a$10$UMR/fB5Jn5oRNe.OV9VicOLrg9BnPyN6Vc3S/noI5LWzfMKK2Zj0q
6
+ "@checksum": Lrg9BnPyN6Vc3S/noI5LWzfMKK2Zj0q
7
+ "@cost": 10
8
+ "@salt": $2a$10$UMR/fB5Jn5oRNe.OV9VicO
9
+ "@version": !str:BCrypt::Password 2a
@@ -1,7 +1,7 @@
1
1
  require 'yaml'
2
- require 'digest/sha1'
3
2
  require 'thor'
4
3
  require 'warden'
4
+ require 'bcrypt'
5
5
 
6
6
  module Yauth
7
7
  class << self
@@ -1,5 +1,8 @@
1
1
 
2
2
  class Yauth::User
3
+
4
+ include BCrypt
5
+
3
6
  attr_accessor :username, :password
4
7
  attr_reader :plain_password
5
8
 
@@ -12,7 +15,7 @@ class Yauth::User
12
15
  end
13
16
 
14
17
  def plain_password=(plain_password)
15
- self.password = Digest::SHA256.hexdigest(plain_password)
18
+ self.password = Password.create(plain_password)
16
19
  @plain_password = plain_password
17
20
  end
18
21
 
@@ -26,6 +29,6 @@ class Yauth::User
26
29
 
27
30
  def authenticate(password)
28
31
  return false if password.to_s == ""
29
- Digest::SHA256.hexdigest(password) == self.password
32
+ self.password == password
30
33
  end
31
34
  end
@@ -12,9 +12,10 @@ describe User do
12
12
 
13
13
  it "should set the real password based on the plain password" do
14
14
  password = "hello world"
15
- hash = Digest::SHA256.hexdigest(password)
15
+ cyphertext = mock "CypherText"
16
+ BCrypt::Password.should_receive(:create).and_return(cyphertext)
16
17
  subject.plain_password = password
17
- subject.password.should == hash
18
+ subject.password.should == cyphertext
18
19
  end
19
20
 
20
21
  it "should memorize the plain password until the end of the session" do
@@ -5,11 +5,11 @@
5
5
 
6
6
  Gem::Specification.new do |s|
7
7
  s.name = %q{yauth}
8
- s.version = "0.1.0"
8
+ s.version = "0.2.0"
9
9
 
10
10
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
11
  s.authors = ["Matteo Collina"]
12
- s.date = %q{2011-03-01}
12
+ s.date = %q{2011-03-02}
13
13
  s.default_executable = %q{yauth}
14
14
  s.description = %q{Yauth is a extremely simple authentication solution for prototipes, developed as a warden strategy. It uses a yaml file to store usernames and hashed password. It provides a better-than-nothing security.}
15
15
  s.email = %q{matteo@matteocollina.com}
@@ -48,7 +48,7 @@ Gem::Specification.new do |s|
48
48
  s.homepage = %q{http://github.com/mcollina/yauth}
49
49
  s.licenses = ["MIT"]
50
50
  s.require_paths = ["lib"]
51
- s.rubygems_version = %q{1.5.2}
51
+ s.rubygems_version = %q{1.5.3}
52
52
  s.summary = %q{A drop-in authentication solution for prototypes.}
53
53
  s.test_files = [
54
54
  "examples/sinatra/app.rb",
@@ -65,12 +65,14 @@ Gem::Specification.new do |s|
65
65
  s.specification_version = 3
66
66
 
67
67
  if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
68
+ s.add_runtime_dependency(%q<bcrypt-ruby>, [">= 2.1.4"])
68
69
  s.add_runtime_dependency(%q<warden>, ["~> 1.0"])
69
70
  s.add_runtime_dependency(%q<thor>, ["~> 0.14.0"])
70
71
  s.add_development_dependency(%q<test_notifier>, ["~> 0.3.6"])
71
72
  s.add_development_dependency(%q<autotest>, ["~> 4.4"])
72
73
  s.add_development_dependency(%q<rcov>, [">= 0"])
73
74
  else
75
+ s.add_dependency(%q<bcrypt-ruby>, [">= 2.1.4"])
74
76
  s.add_dependency(%q<warden>, ["~> 1.0"])
75
77
  s.add_dependency(%q<thor>, ["~> 0.14.0"])
76
78
  s.add_dependency(%q<test_notifier>, ["~> 0.3.6"])
@@ -78,6 +80,7 @@ Gem::Specification.new do |s|
78
80
  s.add_dependency(%q<rcov>, [">= 0"])
79
81
  end
80
82
  else
83
+ s.add_dependency(%q<bcrypt-ruby>, [">= 2.1.4"])
81
84
  s.add_dependency(%q<warden>, ["~> 1.0"])
82
85
  s.add_dependency(%q<thor>, ["~> 0.14.0"])
83
86
  s.add_dependency(%q<test_notifier>, ["~> 0.3.6"])
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: yauth
3
3
  version: !ruby/object:Gem::Version
4
- hash: 27
4
+ hash: 23
5
5
  prerelease:
6
6
  segments:
7
7
  - 0
8
- - 1
8
+ - 2
9
9
  - 0
10
- version: 0.1.0
10
+ version: 0.2.0
11
11
  platform: ruby
12
12
  authors:
13
13
  - Matteo Collina
@@ -15,13 +15,29 @@ autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
17
 
18
- date: 2011-03-01 00:00:00 +01:00
18
+ date: 2011-03-02 00:00:00 +01:00
19
19
  default_executable: yauth
20
20
  dependencies:
21
21
  - !ruby/object:Gem::Dependency
22
- name: warden
22
+ name: bcrypt-ruby
23
23
  prerelease: false
24
24
  requirement: &id001 !ruby/object:Gem::Requirement
25
+ none: false
26
+ requirements:
27
+ - - ">="
28
+ - !ruby/object:Gem::Version
29
+ hash: 3
30
+ segments:
31
+ - 2
32
+ - 1
33
+ - 4
34
+ version: 2.1.4
35
+ type: :runtime
36
+ version_requirements: *id001
37
+ - !ruby/object:Gem::Dependency
38
+ name: warden
39
+ prerelease: false
40
+ requirement: &id002 !ruby/object:Gem::Requirement
25
41
  none: false
26
42
  requirements:
27
43
  - - ~>
@@ -32,11 +48,11 @@ dependencies:
32
48
  - 0
33
49
  version: "1.0"
34
50
  type: :runtime
35
- version_requirements: *id001
51
+ version_requirements: *id002
36
52
  - !ruby/object:Gem::Dependency
37
53
  name: thor
38
54
  prerelease: false
39
- requirement: &id002 !ruby/object:Gem::Requirement
55
+ requirement: &id003 !ruby/object:Gem::Requirement
40
56
  none: false
41
57
  requirements:
42
58
  - - ~>
@@ -48,11 +64,11 @@ dependencies:
48
64
  - 0
49
65
  version: 0.14.0
50
66
  type: :runtime
51
- version_requirements: *id002
67
+ version_requirements: *id003
52
68
  - !ruby/object:Gem::Dependency
53
69
  name: test_notifier
54
70
  prerelease: false
55
- requirement: &id003 !ruby/object:Gem::Requirement
71
+ requirement: &id004 !ruby/object:Gem::Requirement
56
72
  none: false
57
73
  requirements:
58
74
  - - ~>
@@ -64,11 +80,11 @@ dependencies:
64
80
  - 6
65
81
  version: 0.3.6
66
82
  type: :development
67
- version_requirements: *id003
83
+ version_requirements: *id004
68
84
  - !ruby/object:Gem::Dependency
69
85
  name: autotest
70
86
  prerelease: false
71
- requirement: &id004 !ruby/object:Gem::Requirement
87
+ requirement: &id005 !ruby/object:Gem::Requirement
72
88
  none: false
73
89
  requirements:
74
90
  - - ~>
@@ -79,11 +95,11 @@ dependencies:
79
95
  - 4
80
96
  version: "4.4"
81
97
  type: :development
82
- version_requirements: *id004
98
+ version_requirements: *id005
83
99
  - !ruby/object:Gem::Dependency
84
100
  name: rcov
85
101
  prerelease: false
86
- requirement: &id005 !ruby/object:Gem::Requirement
102
+ requirement: &id006 !ruby/object:Gem::Requirement
87
103
  none: false
88
104
  requirements:
89
105
  - - ">="
@@ -93,7 +109,7 @@ dependencies:
93
109
  - 0
94
110
  version: "0"
95
111
  type: :development
96
- version_requirements: *id005
112
+ version_requirements: *id006
97
113
  description: Yauth is a extremely simple authentication solution for prototipes, developed as a warden strategy. It uses a yaml file to store usernames and hashed password. It provides a better-than-nothing security.
98
114
  email: matteo@matteocollina.com
99
115
  executables:
@@ -159,7 +175,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
159
175
  requirements: []
160
176
 
161
177
  rubyforge_project:
162
- rubygems_version: 1.5.2
178
+ rubygems_version: 1.5.3
163
179
  signing_key:
164
180
  specification_version: 3
165
181
  summary: A drop-in authentication solution for prototypes.