Merge pull request #25 from leapcode/feature/keep-session-small

Ensure user data does not clutter session[:handshake]

5 files changed, 12 insertions, 18 deletions

diff --git a/users/app/models/user.rb b/users/app/models/user.rb
index 80d49a3..e41c2dc 100644
--- a/users/app/models/user.rb
+++ b/users/app/models/user.rb
@@ -57,10 +57,6 @@ class User < CouchRest::Model::Base
     }.to_json(options)
   end
 
-  def initialize_auth(aa)
-    return SRP::Session.new(self, aa)
-  end
-
   def salt
     password_salt.hex
   end
diff --git a/users/leap_web_users.gemspec b/users/leap_web_users.gemspec
index 0682a99..0182c1f 100644
--- a/users/leap_web_users.gemspec
+++ b/users/leap_web_users.gemspec
@@ -17,6 +17,6 @@ Gem::Specification.new do |s|
 
   s.add_dependency "leap_web_core", LeapWeb::VERSION
 
-  s.add_dependency "ruby-srp", "~> 0.1.4"
+  s.add_dependency "ruby-srp", "~> 0.1.5"
   s.add_dependency "rails_warden"
 end
diff --git a/users/lib/warden/strategies/secure_remote_password.rb b/users/lib/warden/strategies/secure_remote_password.rb
index 594e27e..483336d 100644
--- a/users/lib/warden/strategies/secure_remote_password.rb
+++ b/users/lib/warden/strategies/secure_remote_password.rb
@@ -25,13 +25,18 @@ module Warden
       end
 
       def validate!
-        user = session[:handshake].authenticate(params['client_auth'].hex)
-        user ? success!(user) : fail!(:password => "wrong_password")
+        client = session[:handshake].authenticate(params['client_auth'].hex)
+        client ?
+          success!(User.find_by_login(client.username)) :
+          fail!(:password => "wrong_password")
       end
 
       def initialize!
         if user = User.find_by_login(id)
-          session[:handshake] = user.initialize_auth(params['A'].hex)
+          client = SRP::Client.new user.username,
+            :verifier => user.verifier,
+            :salt => user.salt
+          session[:handshake] = SRP::Session.new(client, params['A'].hex)
           custom! json_response(session[:handshake])
         else
           fail! :login => "user_not_found"
diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb
index 4937814..314d71a 100644
--- a/users/test/integration/api/account_flow_test.rb
+++ b/users/test/integration/api/account_flow_test.rb
@@ -16,7 +16,7 @@ class AccountFlowTest < ActiveSupport::TestCase
     @login = "integration_test_user"
     User.find_by_login(@login).tap{|u| u.destroy if u}
     @password = "srp, verify me!"
-    @srp = SRP::Client.new(@login, @password)
+    @srp = SRP::Client.new @login, :password => @password
     @user_params = {
       :login => @login,
       :password_verifier => @srp.verifier.to_s(16),
@@ -73,7 +73,7 @@ class AccountFlowTest < ActiveSupport::TestCase
   end
 
   test "signup and wrong password login attempt" do
-    srp = SRP::Client.new(@login, "wrong password")
+    srp = SRP::Client.new @login, :password => "wrong password"
     server_auth = srp.authenticate(self)
     assert_json_error :password => "wrong password"
     assert !last_response.successful?
@@ -81,7 +81,7 @@ class AccountFlowTest < ActiveSupport::TestCase
   end
 
   test "signup and wrong username login attempt" do
-    srp = SRP::Client.new("wrong_login", @password)
+    srp = SRP::Client.new "wrong_login", :password => @password
     server_auth = nil
     assert_raises RECORD_NOT_FOUND do
       server_auth = srp.authenticate(self)
diff --git a/users/test/unit/user_test.rb b/users/test/unit/user_test.rb
index 66563a3..10c8b46 100644
--- a/users/test/unit/user_test.rb
+++ b/users/test/unit/user_test.rb
@@ -40,13 +40,6 @@ class UserTest < ActiveSupport::TestCase
     assert_equal @user.password_salt.hex, @user.salt
   end
 
-  test "should include SRP" do
-    client_rnd = bigrand(32).hex
-    srp_session = @user.initialize_auth(client_rnd)
-    assert srp_session.is_a? SRP::Session
-    assert_equal client_rnd, srp_session.aa
-  end
-
   test 'normal user is no admin' do
     assert !@user.is_admin?
   end