diff options
| -rw-r--r-- | app/controllers/application_controller.rb | 10 | ||||
| -rw-r--r-- | app/controllers/my/settings_controller.rb | 2 | ||||
| -rw-r--r-- | app/models/user.rb | 37 | ||||
| -rw-r--r-- | spec/controllers/api/v1/logins_controller_spec.rb | 2 |
4 files changed, 31 insertions, 20 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index f6abcd89..446b0d12 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -3,7 +3,7 @@ class ApplicationController < ActionController::Base # For APIs, you may want to use :null_session instead. protect_from_forgery with: :exception before_action :load_header - before_action :configure_permitted_parameters, if: :devise_controller? + #before_action :configure_permitted_parameters, if: :devise_controller? #before_action :extend_session_cookie helper_method :current_user, :user_signed_in? rescue_from ActiveRecord::RecordNotFound, with: :record_not_found @@ -20,11 +20,11 @@ class ApplicationController < ActionController::Base current_user end - protected + #protected - def configure_permitted_parameters - devise_parameter_sanitizer.for(:user) { |u| u.permit(:name, :city, :email) } - end + #def configure_permitted_parameters + #devise_parameter_sanitizer.for(:user) { |u| u.permit(:name, :city, :email) } + #end private diff --git a/app/controllers/my/settings_controller.rb b/app/controllers/my/settings_controller.rb index 013b66c6..7f6308ce 100644 --- a/app/controllers/my/settings_controller.rb +++ b/app/controllers/my/settings_controller.rb @@ -7,7 +7,7 @@ module My def update @user = current_user @user.interest_ids = params[:user][:interest_ids] ||= [] - if @user.update_without_password(user_params) + if @user.update(user_params) redirect_to my_settings_path, :notice => t(:profile_saved) else render :index diff --git a/app/models/user.rb b/app/models/user.rb index eaff2a11..4a43d108 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -2,7 +2,7 @@ require 'bcrypt' class User < ActiveRecord::Base include BCrypt - #before_save :ensure_authentication_token + before_save :ensure_authentication_token after_create :send_welcome_email unless Rails.env.test? validates :name, :presence => true @@ -75,6 +75,12 @@ class User < ActiveRecord::Base creations.create(name: name, category_id: category.id) end + def valid_password?(password) + bcrypt = ::BCrypt::Password.new(encrypted_password) + password = ::BCrypt::Engine.hash_secret(password, bcrypt.salt) + secure_compare(password, encrypted_password) + end + class << self def ordered User.order(:creations_count => :desc) @@ -88,23 +94,28 @@ class User < ActiveRecord::Base def login(username, password) user = User.find_by(email: username) return false if user.nil? - bcrypt = ::BCrypt::Password.new(user.encrypted_password) - password = ::BCrypt::Engine.hash_secret(password, bcrypt.salt) - if secure_compare(password, user.encrypted_password) - UserSession.create!(user: user) + if user.valid_password?(password) + UserSession.create!(user: self) else false end end - # constant-time comparison algorithm to prevent timing attacks - def secure_compare(a, b) - return false if a.blank? || b.blank? || a.bytesize != b.bytesize - l = a.unpack "C#{a.bytesize}" + end - res = 0 - b.each_byte { |byte| res |= byte ^ l.shift } - res == 0 - end + private + + # constant-time comparison algorithm to prevent timing attacks + def secure_compare(a, b) + return false if a.blank? || b.blank? || a.bytesize != b.bytesize + l = a.unpack "C#{a.bytesize}" + + res = 0 + b.each_byte { |byte| res |= byte ^ l.shift } + res == 0 + end + + def ensure_authentication_token + self.authentication_token = SecureRandom.hex(32) if self.authentication_token.blank? end end diff --git a/spec/controllers/api/v1/logins_controller_spec.rb b/spec/controllers/api/v1/logins_controller_spec.rb index ea618246..4abf2614 100644 --- a/spec/controllers/api/v1/logins_controller_spec.rb +++ b/spec/controllers/api/v1/logins_controller_spec.rb @@ -5,7 +5,7 @@ describe Api::V1::LoginsController do let(:user) { create(:user) } it "should return the auth token" do - post :create, { :email => user.email, :password => user.password } + post :create, { :email => user.email, :password => 'password' } response.body.should == { auth_token: user.authentication_token }.to_json end end |