summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorazul <azul@leap.se>2014-05-26 10:08:27 +0200
committerazul <azul@leap.se>2014-05-26 10:08:27 +0200
commit1d0d61389011a8d0d169bc139590d90a6fbbac60 (patch)
tree9746836914f455889af9e24fdff36a1241ef4b24 /app
parentdf298887221cffc8cacc8965d73a0d7850118849 (diff)
parent5764daae090227bf4c5967900b708392c967be47 (diff)
Merge pull request #163 from azul/feature/3398-save-hashed-token
hash token with sha512 against timing attacs #3398
Diffstat (limited to 'app')
-rw-r--r--app/controllers/controller_extension/token_authentication.rb4
-rw-r--r--app/models/token.rb13
2 files changed, 13 insertions, 4 deletions
diff --git a/app/controllers/controller_extension/token_authentication.rb b/app/controllers/controller_extension/token_authentication.rb
index 6e0a6ce..b0ed624 100644
--- a/app/controllers/controller_extension/token_authentication.rb
+++ b/app/controllers/controller_extension/token_authentication.rb
@@ -2,8 +2,8 @@ module ControllerExtension::TokenAuthentication
extend ActiveSupport::Concern
def token
- @token ||= authenticate_with_http_token do |token_id, options|
- Token.find(token_id)
+ @token ||= authenticate_with_http_token do |token, options|
+ Token.find_by_token(token)
end
end
diff --git a/app/models/token.rb b/app/models/token.rb
index e759ee3..ff2ad12 100644
--- a/app/models/token.rb
+++ b/app/models/token.rb
@@ -1,3 +1,5 @@
+require 'digest/sha2'
+
class Token < CouchRest::Model::Base
use_database :tokens
@@ -11,10 +13,16 @@ class Token < CouchRest::Model::Base
validates :user_id, presence: true
+ attr_accessor :token
+
design do
view :by_last_seen_at
end
+ def self.find_by_token(token)
+ self.find Digest::SHA512.hexdigest(token)
+ end
+
def self.expires_after
APP_CONFIG[:auth] && APP_CONFIG[:auth][:token_expires_after]
end
@@ -31,7 +39,7 @@ class Token < CouchRest::Model::Base
end
def to_s
- id
+ token
end
def authenticate
@@ -65,7 +73,8 @@ class Token < CouchRest::Model::Base
def initialize(*args)
super
if new_record?
- self.id = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+ self.token = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+ self.id = Digest::SHA512.hexdigest(self.token)
self.last_seen_at = Time.now
end
end