hash token with sha512 against timing attacs #3398

author: Azul <azul@leap.se> 2014-05-01 10:45:57 +0200
committer: Azul <azul@leap.se> 2014-05-26 09:58:40 +0200
commit: 5764daae090227bf4c5967900b708392c967be47 (patch)
tree: d611429113b8b0ebc363f8b0333c6896a41c7ced /app
parent: 0f686b1256b4190522bcb101ba06cd2c7406eb36 (diff)
2 files changed, 13 insertions, 4 deletions
diff --git a/app/controllers/controller_extension/token_authentication.rb b/app/controllers/controller_extension/token_authentication.rb
index 6e0a6ce..b0ed624 100644
--- a/app/controllers/controller_extension/token_authentication.rb
+++ b/app/controllers/controller_extension/token_authentication.rb
@@ -2,8 +2,8 @@ module ControllerExtension::TokenAuthentication
   extend ActiveSupport::Concern
 
   def token
-    @token ||= authenticate_with_http_token do |token_id, options|
-      Token.find(token_id)
+    @token ||= authenticate_with_http_token do |token, options|
+      Token.find_by_token(token)
     end
   end
 
diff --git a/app/models/token.rb b/app/models/token.rb
index e759ee3..ff2ad12 100644
--- a/app/models/token.rb
+++ b/app/models/token.rb
@@ -1,3 +1,5 @@
+require 'digest/sha2'
+
 class Token < CouchRest::Model::Base
 
   use_database :tokens
@@ -11,10 +13,16 @@ class Token < CouchRest::Model::Base
 
   validates :user_id, presence: true
 
+  attr_accessor :token
+
   design do
     view :by_last_seen_at
   end
 
+  def self.find_by_token(token)
+    self.find Digest::SHA512.hexdigest(token)
+  end
+
   def self.expires_after
     APP_CONFIG[:auth] && APP_CONFIG[:auth][:token_expires_after]
   end
@@ -31,7 +39,7 @@ class Token < CouchRest::Model::Base
   end
 
   def to_s
-    id
+    token
   end
 
   def authenticate
@@ -65,7 +73,8 @@ class Token < CouchRest::Model::Base
   def initialize(*args)
     super
     if new_record?
-      self.id = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+      self.token = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+      self.id = Digest::SHA512.hexdigest(self.token)
       self.last_seen_at = Time.now
     end
   end
author	Azul <azul@leap.se>	2014-05-01 10:45:57 +0200
committer	Azul <azul@leap.se>	2014-05-26 09:58:40 +0200
commit	5764daae090227bf4c5967900b708392c967be47 (patch)
tree	d611429113b8b0ebc363f8b0333c6896a41c7ced /app
parent	0f686b1256b4190522bcb101ba06cd2c7406eb36 (diff)