Merge pull request #163 from azul/feature/3398-save-hashed-token

hash token with sha512 against timing attacs #3398

2 files changed, 13 insertions, 4 deletions

diff --git a/app/controllers/controller_extension/token_authentication.rb b/app/controllers/controller_extension/token_authentication.rb
index 6e0a6ce..b0ed624 100644
--- a/app/controllers/controller_extension/token_authentication.rb
+++ b/app/controllers/controller_extension/token_authentication.rb
@@ -2,8 +2,8 @@ module ControllerExtension::TokenAuthentication
   extend ActiveSupport::Concern
 
   def token
-    @token ||= authenticate_with_http_token do |token_id, options|
-      Token.find(token_id)
+    @token ||= authenticate_with_http_token do |token, options|
+      Token.find_by_token(token)
     end
   end
 
diff --git a/app/models/token.rb b/app/models/token.rb
index e759ee3..ff2ad12 100644
--- a/app/models/token.rb
+++ b/app/models/token.rb
@@ -1,3 +1,5 @@
+require 'digest/sha2'
+
 class Token < CouchRest::Model::Base
 
   use_database :tokens
@@ -11,10 +13,16 @@ class Token < CouchRest::Model::Base
 
   validates :user_id, presence: true
 
+  attr_accessor :token
+
   design do
     view :by_last_seen_at
   end
 
+  def self.find_by_token(token)
+    self.find Digest::SHA512.hexdigest(token)
+  end
+
   def self.expires_after
     APP_CONFIG[:auth] && APP_CONFIG[:auth][:token_expires_after]
   end
@@ -31,7 +39,7 @@ class Token < CouchRest::Model::Base
   end
 
   def to_s
-    id
+    token
   end
 
   def authenticate
@@ -65,7 +73,8 @@ class Token < CouchRest::Model::Base
   def initialize(*args)
     super
     if new_record?
-      self.id = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+      self.token = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+      self.id = Digest::SHA512.hexdigest(self.token)
       self.last_seen_at = Time.now
     end
   end