summaryrefslogtreecommitdiff
path: root/users
diff options
context:
space:
mode:
authorazul <azul@riseup.net>2013-02-06 07:53:21 -0800
committerazul <azul@riseup.net>2013-02-06 07:53:21 -0800
commit40955e06c038ad3d84bfe88052c501fb7a6208d8 (patch)
treeb63e83731066d7da948509c391bd0a3f1cfc30f3 /users
parent70e05a181ce3b79a6ea9b5c76eab5102e94860ca (diff)
parentf1f33f7e041c9e831e27ca5084ce1dd8a35a7c45 (diff)
Merge pull request #25 from leapcode/feature/keep-session-small
Ensure user data does not clutter session[:handshake]
Diffstat (limited to 'users')
-rw-r--r--users/app/models/user.rb4
-rw-r--r--users/leap_web_users.gemspec2
-rw-r--r--users/lib/warden/strategies/secure_remote_password.rb11
-rw-r--r--users/test/integration/api/account_flow_test.rb6
-rw-r--r--users/test/unit/user_test.rb7
5 files changed, 12 insertions, 18 deletions
diff --git a/users/app/models/user.rb b/users/app/models/user.rb
index 80d49a3..e41c2dc 100644
--- a/users/app/models/user.rb
+++ b/users/app/models/user.rb
@@ -57,10 +57,6 @@ class User < CouchRest::Model::Base
}.to_json(options)
end
- def initialize_auth(aa)
- return SRP::Session.new(self, aa)
- end
-
def salt
password_salt.hex
end
diff --git a/users/leap_web_users.gemspec b/users/leap_web_users.gemspec
index 0682a99..0182c1f 100644
--- a/users/leap_web_users.gemspec
+++ b/users/leap_web_users.gemspec
@@ -17,6 +17,6 @@ Gem::Specification.new do |s|
s.add_dependency "leap_web_core", LeapWeb::VERSION
- s.add_dependency "ruby-srp", "~> 0.1.4"
+ s.add_dependency "ruby-srp", "~> 0.1.5"
s.add_dependency "rails_warden"
end
diff --git a/users/lib/warden/strategies/secure_remote_password.rb b/users/lib/warden/strategies/secure_remote_password.rb
index 594e27e..483336d 100644
--- a/users/lib/warden/strategies/secure_remote_password.rb
+++ b/users/lib/warden/strategies/secure_remote_password.rb
@@ -25,13 +25,18 @@ module Warden
end
def validate!
- user = session[:handshake].authenticate(params['client_auth'].hex)
- user ? success!(user) : fail!(:password => "wrong_password")
+ client = session[:handshake].authenticate(params['client_auth'].hex)
+ client ?
+ success!(User.find_by_login(client.username)) :
+ fail!(:password => "wrong_password")
end
def initialize!
if user = User.find_by_login(id)
- session[:handshake] = user.initialize_auth(params['A'].hex)
+ client = SRP::Client.new user.username,
+ :verifier => user.verifier,
+ :salt => user.salt
+ session[:handshake] = SRP::Session.new(client, params['A'].hex)
custom! json_response(session[:handshake])
else
fail! :login => "user_not_found"
diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb
index 4937814..314d71a 100644
--- a/users/test/integration/api/account_flow_test.rb
+++ b/users/test/integration/api/account_flow_test.rb
@@ -16,7 +16,7 @@ class AccountFlowTest < ActiveSupport::TestCase
@login = "integration_test_user"
User.find_by_login(@login).tap{|u| u.destroy if u}
@password = "srp, verify me!"
- @srp = SRP::Client.new(@login, @password)
+ @srp = SRP::Client.new @login, :password => @password
@user_params = {
:login => @login,
:password_verifier => @srp.verifier.to_s(16),
@@ -73,7 +73,7 @@ class AccountFlowTest < ActiveSupport::TestCase
end
test "signup and wrong password login attempt" do
- srp = SRP::Client.new(@login, "wrong password")
+ srp = SRP::Client.new @login, :password => "wrong password"
server_auth = srp.authenticate(self)
assert_json_error :password => "wrong password"
assert !last_response.successful?
@@ -81,7 +81,7 @@ class AccountFlowTest < ActiveSupport::TestCase
end
test "signup and wrong username login attempt" do
- srp = SRP::Client.new("wrong_login", @password)
+ srp = SRP::Client.new "wrong_login", :password => @password
server_auth = nil
assert_raises RECORD_NOT_FOUND do
server_auth = srp.authenticate(self)
diff --git a/users/test/unit/user_test.rb b/users/test/unit/user_test.rb
index 66563a3..10c8b46 100644
--- a/users/test/unit/user_test.rb
+++ b/users/test/unit/user_test.rb
@@ -40,13 +40,6 @@ class UserTest < ActiveSupport::TestCase
assert_equal @user.password_salt.hex, @user.salt
end
- test "should include SRP" do
- client_rnd = bigrand(32).hex
- srp_session = @user.initialize_auth(client_rnd)
- assert srp_session.is_a? SRP::Session
- assert_equal client_rnd, srp_session.aa
- end
-
test 'normal user is no admin' do
assert !@user.is_admin?
end