summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorAzul <azul@leap.se>2014-05-01 10:45:57 +0200
committerAzul <azul@leap.se>2014-05-26 09:58:40 +0200
commit5764daae090227bf4c5967900b708392c967be47 (patch)
treed611429113b8b0ebc363f8b0333c6896a41c7ced /app
parent0f686b1256b4190522bcb101ba06cd2c7406eb36 (diff)
hash token with sha512 against timing attacs #3398
Diffstat (limited to 'app')
-rw-r--r--app/controllers/controller_extension/token_authentication.rb4
-rw-r--r--app/models/token.rb13
2 files changed, 13 insertions, 4 deletions
diff --git a/app/controllers/controller_extension/token_authentication.rb b/app/controllers/controller_extension/token_authentication.rb
index 6e0a6ce..b0ed624 100644
--- a/app/controllers/controller_extension/token_authentication.rb
+++ b/app/controllers/controller_extension/token_authentication.rb
@@ -2,8 +2,8 @@ module ControllerExtension::TokenAuthentication
extend ActiveSupport::Concern
def token
- @token ||= authenticate_with_http_token do |token_id, options|
- Token.find(token_id)
+ @token ||= authenticate_with_http_token do |token, options|
+ Token.find_by_token(token)
end
end
diff --git a/app/models/token.rb b/app/models/token.rb
index e759ee3..ff2ad12 100644
--- a/app/models/token.rb
+++ b/app/models/token.rb
@@ -1,3 +1,5 @@
+require 'digest/sha2'
+
class Token < CouchRest::Model::Base
use_database :tokens
@@ -11,10 +13,16 @@ class Token < CouchRest::Model::Base
validates :user_id, presence: true
+ attr_accessor :token
+
design do
view :by_last_seen_at
end
+ def self.find_by_token(token)
+ self.find Digest::SHA512.hexdigest(token)
+ end
+
def self.expires_after
APP_CONFIG[:auth] && APP_CONFIG[:auth][:token_expires_after]
end
@@ -31,7 +39,7 @@ class Token < CouchRest::Model::Base
end
def to_s
- id
+ token
end
def authenticate
@@ -65,7 +73,8 @@ class Token < CouchRest::Model::Base
def initialize(*args)
super
if new_record?
- self.id = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+ self.token = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+ self.id = Digest::SHA512.hexdigest(self.token)
self.last_seen_at = Time.now
end
end