From 5764daae090227bf4c5967900b708392c967be47 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 1 May 2014 10:45:57 +0200 Subject: hash token with sha512 against timing attacs #3398 --- test/functional/test_helpers_test.rb | 2 +- test/functional/v1/sessions_controller_test.rb | 2 +- test/integration/api/token_test.rb | 15 +++++++++++++++ test/support/auth_test_helper.rb | 5 +++-- test/unit/token_test.rb | 23 ++++++++++++++--------- 5 files changed, 34 insertions(+), 13 deletions(-) create mode 100644 test/integration/api/token_test.rb (limited to 'test') diff --git a/test/functional/test_helpers_test.rb b/test/functional/test_helpers_test.rb index 845e516..ca85482 100644 --- a/test/functional/test_helpers_test.rb +++ b/test/functional/test_helpers_test.rb @@ -27,7 +27,7 @@ class TestHelpersTest < ActionController::TestCase def test_login_adds_token_header login token_present = @controller.authenticate_with_http_token do |token, options| - assert_equal @token.id, token + assert_equal @token.to_s, token end # authenticate_with_http_token just returns nil and does not # execute the block if there is no token. So we have to also diff --git a/test/functional/v1/sessions_controller_test.rb b/test/functional/v1/sessions_controller_test.rb index df0d681..8bb6acd 100644 --- a/test/functional/v1/sessions_controller_test.rb +++ b/test/functional/v1/sessions_controller_test.rb @@ -48,7 +48,7 @@ class V1::SessionsControllerTest < ActionController::TestCase assert_response :success assert json_response.keys.include?("id") assert json_response.keys.include?("token") - assert token = Token.find(json_response['token']) + assert token = Token.find_by_token(json_response['token']) assert_equal @user.id, token.user_id end diff --git a/test/integration/api/token_test.rb b/test/integration/api/token_test.rb new file mode 100644 index 0000000..ad3ac22 --- /dev/null +++ b/test/integration/api/token_test.rb @@ -0,0 +1,15 @@ +require 'test_helper' +require_relative 'srp_test' + +class TokenTest < SrpTest + + setup do + register_user + end + + test "stores token SHA512 encoded" do + authenticate + token = server_auth['token'] + assert Token.find(Digest::SHA512.hexdigest(token)) + end +end diff --git a/test/support/auth_test_helper.rb b/test/support/auth_test_helper.rb index 57f9f9b..28e9633 100644 --- a/test/support/auth_test_helper.rb +++ b/test/support/auth_test_helper.rb @@ -46,8 +46,9 @@ module AuthTestHelper protected def header_for_token_auth - @token = find_record(:token, :authenticate => @current_user) - ActionController::HttpAuthentication::Token.encode_credentials @token.id + @token = stub_record(:token, :authenticate => @current_user) + Token.stubs(:find_by_token).with(@token.token).returns(@token) + ActionController::HttpAuthentication::Token.encode_credentials @token.token end def expect_warden_logout diff --git a/test/unit/token_test.rb b/test/unit/token_test.rb index a3c6cf6..b143345 100644 --- a/test/unit/token_test.rb +++ b/test/unit/token_test.rb @@ -14,17 +14,22 @@ class ClientCertificateTest < ActiveSupport::TestCase assert_equal @user, sample.authenticate end - test "token id is secure" do + test "token is secure" do sample = Token.new(:user_id => @user.id) other = Token.new(:user_id => @user.id) - assert sample.id, - "id is set on initialization" - assert sample.id[0..10] != other.id[0..10], - "token id prefixes should not repeat" - assert /[g-zG-Z]/.match(sample.id), - "should use non hex chars in the token id" - assert sample.id.size > 16, - "token id should be more than 16 chars long" + assert sample.token, + "token is set on initialization" + assert sample.token[0..10] != other.token[0..10], + "token prefixes should not repeat" + assert /[g-zG-Z]/.match(sample.token), + "should use non hex chars in the token" + assert sample.token.size > 16, + "token should be more than 16 chars long" + end + + test "token id is hash of the token" do + sample = Token.new(:user_id => @user.id) + assert_equal Digest::SHA512.hexdigest(sample.token), sample.id end test "token checks for user" do -- cgit v1.2.3