From 5764daae090227bf4c5967900b708392c967be47 Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Thu, 1 May 2014 10:45:57 +0200
Subject: hash token with sha512 against timing attacs #3398

---
 app/models/token.rb | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

(limited to 'app/models')

diff --git a/app/models/token.rb b/app/models/token.rb
index e759ee3..ff2ad12 100644
--- a/app/models/token.rb
+++ b/app/models/token.rb
@@ -1,3 +1,5 @@
+require 'digest/sha2'
+
 class Token < CouchRest::Model::Base
 
   use_database :tokens
@@ -11,10 +13,16 @@ class Token < CouchRest::Model::Base
 
   validates :user_id, presence: true
 
+  attr_accessor :token
+
   design do
     view :by_last_seen_at
   end
 
+  def self.find_by_token(token)
+    self.find Digest::SHA512.hexdigest(token)
+  end
+
   def self.expires_after
     APP_CONFIG[:auth] && APP_CONFIG[:auth][:token_expires_after]
   end
@@ -31,7 +39,7 @@ class Token < CouchRest::Model::Base
   end
 
   def to_s
-    id
+    token
   end
 
   def authenticate
@@ -65,7 +73,8 @@ class Token < CouchRest::Model::Base
   def initialize(*args)
     super
     if new_record?
-      self.id = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+      self.token = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+      self.id = Digest::SHA512.hexdigest(self.token)
       self.last_seen_at = Time.now
     end
   end
-- 
cgit v1.2.3