From c7d473882a01981ff6ff8f0e2b5c120a0026a531 Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Tue, 2 Oct 2012 15:45:43 +0200
Subject: send salt on initializing login

---
 users/app/controllers/sessions_controller.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'users/app')

diff --git a/users/app/controllers/sessions_controller.rb b/users/app/controllers/sessions_controller.rb
index e68d798..f79b069 100644
--- a/users/app/controllers/sessions_controller.rb
+++ b/users/app/controllers/sessions_controller.rb
@@ -8,7 +8,8 @@ class SessionsController < ApplicationController
   def create
     @user = User.find_by_param(params[:login])
     session[:handshake] = @user.initialize_auth(params['A'].hex)
-    render :json => { :B => session[:handshake].bb.to_s(16) }
+    render :json => { :B => session[:handshake].bb.to_s(16),
+      :salt => @user.password_salt }
   rescue RECORD_NOT_FOUND
     render :json => {:errors => {:login => ["unknown user"]}}
   end
-- 
cgit v1.2.3


From 5bc3eae400754dda90a45d6953a02a069a1c0285 Mon Sep 17 00:00:00 2001
From: jessib <jessib@riseup.net>
Date: Tue, 2 Oct 2012 15:29:28 -0700
Subject: Some more tweaks to help ticket models. Still want to tweak
 current_user access from users engine.

---
 users/app/controllers/sessions_controller.rb | 6 ++++++
 users/app/models/user.rb                     | 7 +++++++
 2 files changed, 13 insertions(+)

(limited to 'users/app')

diff --git a/users/app/controllers/sessions_controller.rb b/users/app/controllers/sessions_controller.rb
index e68d798..d398057 100644
--- a/users/app/controllers/sessions_controller.rb
+++ b/users/app/controllers/sessions_controller.rb
@@ -8,6 +8,7 @@ class SessionsController < ApplicationController
   def create
     @user = User.find_by_param(params[:login])
     session[:handshake] = @user.initialize_auth(params['A'].hex)
+    User.current = @user #?
     render :json => { :B => session[:handshake].bb.to_s(16) }
   rescue RECORD_NOT_FOUND
     render :json => {:errors => {:login => ["unknown user"]}}
@@ -17,6 +18,7 @@ class SessionsController < ApplicationController
     @user = User.find_by_param(params[:id])
     @server_auth = @user.authenticate!(params[:client_auth].hex, session.delete(:handshake))
     session[:user_id] = @user.id
+    User.current = @user #?
     render :json => {:M2 => @server_auth}
   rescue WRONG_PASSWORD
     session[:handshake] = nil
@@ -25,6 +27,10 @@ class SessionsController < ApplicationController
 
   def destroy
     session[:user_id] = nil
+    User.current = nil #?
     redirect_to root_path
   end
+
+  
+
 end
diff --git a/users/app/models/user.rb b/users/app/models/user.rb
index fa64f42..95ee810 100644
--- a/users/app/models/user.rb
+++ b/users/app/models/user.rb
@@ -46,4 +46,11 @@ class User < CouchRest::Model::Base
     password_verifier.hex
   end
 
+  def self.current
+    Thread.current[:user]
+  end
+  def self.current=(user)
+    Thread.current[:user] = user
+  end
+
 end
-- 
cgit v1.2.3


From 118d9ab5c9f4d7a82b7cf24774ef12d3c221f8ef Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Fri, 5 Oct 2012 13:59:39 +0200
Subject: moving to ruby_srp 0.1.0, works with python srp

---
 users/app/controllers/sessions_controller.rb |  6 ++++--
 users/app/models/user.rb                     | 10 ++++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

(limited to 'users/app')

diff --git a/users/app/controllers/sessions_controller.rb b/users/app/controllers/sessions_controller.rb
index 7852e5c..b8043f5 100644
--- a/users/app/controllers/sessions_controller.rb
+++ b/users/app/controllers/sessions_controller.rb
@@ -15,11 +15,13 @@ class SessionsController < ApplicationController
   end
 
   def update
+    # TODO: validate the id belongs to the session
     @user = User.find_by_param(params[:id])
-    @server_auth = @user.authenticate!(params[:client_auth].hex, session.delete(:handshake))
+    @srp_session = session.delete(:handshake)
+    @server_auth = @srp_session.authenticate!(params[:client_auth].hex)
     session[:user_id] = @user.id
     User.current = @user #?
-    render :json => {:M2 => @server_auth}
+    render :json => {:M2 => "%064x" % @server_auth}
   rescue WRONG_PASSWORD
     session[:handshake] = nil
     render :json => {:errors => {"password" => ["wrong password"]}}
diff --git a/users/app/models/user.rb b/users/app/models/user.rb
index 95ee810..a6aab84 100644
--- a/users/app/models/user.rb
+++ b/users/app/models/user.rb
@@ -1,7 +1,5 @@
 class User < CouchRest::Model::Base
 
-  include SRP::Authentication
-
   property :login, String, :accessible => true
   property :email, String, :accessible => true
   property :password_verifier, String, :accessible => true
@@ -38,6 +36,10 @@ class User < CouchRest::Model::Base
     super(options.merge(:only => ['login', 'password_salt']))
   end
 
+  def initialize_auth(aa)
+    return SRP::Session.new(self, aa)
+  end
+
   def salt
     password_salt.hex
   end
@@ -46,6 +48,10 @@ class User < CouchRest::Model::Base
     password_verifier.hex
   end
 
+  def username
+    login
+  end
+
   def self.current
     Thread.current[:user]
   end
-- 
cgit v1.2.3


From c2d5a80b576ffc5f9ff0807c9a52fec8b4f34123 Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Fri, 5 Oct 2012 16:47:19 +0200
Subject: ruby-srp 0.1.1 has to_json method - simplifies controller

---
 users/app/controllers/sessions_controller.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'users/app')

diff --git a/users/app/controllers/sessions_controller.rb b/users/app/controllers/sessions_controller.rb
index b8043f5..284c0e2 100644
--- a/users/app/controllers/sessions_controller.rb
+++ b/users/app/controllers/sessions_controller.rb
@@ -9,7 +9,7 @@ class SessionsController < ApplicationController
     @user = User.find_by_param(params[:login])
     session[:handshake] = @user.initialize_auth(params['A'].hex)
     User.current = @user #?
-    render :json => { :B => session[:handshake].bb.to_s(16), :salt => @user.password_salt }
+    render :json => session[:handshake]
   rescue RECORD_NOT_FOUND
     render :json => {:errors => {:login => ["unknown user"]}}
   end
@@ -18,10 +18,10 @@ class SessionsController < ApplicationController
     # TODO: validate the id belongs to the session
     @user = User.find_by_param(params[:id])
     @srp_session = session.delete(:handshake)
-    @server_auth = @srp_session.authenticate!(params[:client_auth].hex)
+    @srp_session.authenticate!(params[:client_auth].hex)
     session[:user_id] = @user.id
     User.current = @user #?
-    render :json => {:M2 => "%064x" % @server_auth}
+    render :json => @srp_session
   rescue WRONG_PASSWORD
     session[:handshake] = nil
     render :json => {:errors => {"password" => ["wrong password"]}}
-- 
cgit v1.2.3


From 2215250a39162f9e1fcb8f90e02a637faa63438c Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Sun, 7 Oct 2012 20:09:00 +0200
Subject: added validations

---
 users/app/models/user.rb | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

(limited to 'users/app')

diff --git a/users/app/models/user.rb b/users/app/models/user.rb
index a6aab84..e10f55e 100644
--- a/users/app/models/user.rb
+++ b/users/app/models/user.rb
@@ -5,8 +5,17 @@ class User < CouchRest::Model::Base
   property :password_verifier, String, :accessible => true
   property :password_salt, String, :accessible => true
 
-  validates :login, :password_salt, :password_verifier, :presence => true
-  validates :login, :uniqueness => true
+  validates :login, :password_salt, :password_verifier,
+    :presence => true
+
+  validates :login,
+    :uniqueness => true,
+    :format => { :with => /\A\w+\z/,
+      :message => "Only letters, digits and _ allowed" }
+
+  validates :password_salt, :password_verifier,
+    :format => { :with => /\A[\dA-Fa-f]+\z/,
+      :message => "Only hex numbers allowed" }
 
   timestamps!
 
-- 
cgit v1.2.3


From d776e9ea988b0bc00b24c0e0760bcfe3d95057a7 Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Sun, 7 Oct 2012 21:00:36 +0200
Subject: adding validations for valid login chars and verifier and salt being
 hex

---
 users/app/models/user.rb | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'users/app')

diff --git a/users/app/models/user.rb b/users/app/models/user.rb
index e10f55e..1afb9db 100644
--- a/users/app/models/user.rb
+++ b/users/app/models/user.rb
@@ -9,8 +9,10 @@ class User < CouchRest::Model::Base
     :presence => true
 
   validates :login,
-    :uniqueness => true,
-    :format => { :with => /\A\w+\z/,
+    :uniqueness => true
+
+  validates :login,
+    :format => { :with => /\A[A-Za-z\d_]+\z/,
       :message => "Only letters, digits and _ allowed" }
 
   validates :password_salt, :password_verifier,
@@ -31,8 +33,8 @@ class User < CouchRest::Model::Base
     # valid set of attributes for testing
     def valid_attributes_hash
       { :login => "me",
-        :password_verifier => "1234",
-        :password_salt => "4321" }
+        :password_verifier => "1234ABC",
+        :password_salt => "4321AB" }
     end
 
   end
-- 
cgit v1.2.3