I''m in the progress of migrating my website from using Authlogic to my
own authentication solution for one reason or another and I''ve hit a
little problem - I''ve set Authlogic to use bcrypt-ruby for passwords,
and now I''m confused as to how I''m supposed to work with the
library
and authenticate existing users in my database.
For example, I registered a new user on my website with the password
"test". Here''s the hash and salt stored in the database:
ruby-1.9.2-p0 > u.crypted_password
=> "$2a$10$71.OHo9IrbKve9Mu7m.FNO6QRedkmGuue3/y/StdhlksBnvlL6GBS"
ruby-1.9.2-p0 > u.password_salt
=> "Hki1ozSQrkmvGzddNJq"
One would assume that I would do something like this to check the
password using the bcrypt library:
ruby-1.9.2-p0 > BCrypt::Password.new("$2a
$10$71.OHo9IrbKve9Mu7m.FNO6QRedkmGuue3/y/StdhlksBnvlL6GBS") ==
"hello"
...but the result is "false". Do we need to work the salt in? And if
yes, how? Trying to pass it as a constructor argument or trying the
"salt" setter doesn''t work.
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
CV wrote:> ...but the result is "false". Do we need to work the salt in? And if > yes, how? Trying to pass it as a constructor argument or trying the > "salt" setter doesn''t work.You''re saving the crypted_password and the salt that was used to create it, so the validation of a newly submitted password is to pass it through the same function and compare the end results... Does Bcrypt of "newly submitted password" and u.password_salt == u.crypted_password -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Should you be using something like: if BCrypt::Engine.hash_secret(password, u.salt) == u.crypted_password valid = true end -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Well, I didn''t realize that there was a lower-level part to the
library too! But unfortunately we''re not there yet:
ruby-1.9.2-p0 > BCrypt::Engine.hash_secret("test",
"Hki1ozSQrkmvGzddNJq")
BCrypt::Errors::InvalidSalt: invalid salt
On Sep 23, 9:46 pm, Ar Chron
<li...-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org>
wrote:> Should you be using something like:
>
> if BCrypt::Engine.hash_secret(password, u.salt) == u.crypted_password
> valid = true
> end
> --
> Posted viahttp://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
CV wrote:> Well, I didn''t realize that there was a lower-level part to the > library too! But unfortunately we''re not there yet: > > ruby-1.9.2-p0 > BCrypt::Engine.hash_secret("test", > "Hki1ozSQrkmvGzddNJq") > BCrypt::Errors::InvalidSalt: invalid saltI wonder if Authlogic overrode any of the default settings for BCrypt? What do you get using irb for @version, @cost, @salt, @hash after: @version, @cost, @salt, @hash = BCrypt::Password.new(u.crypted_password) on your test user? Source docs indicate Password.new returns a quadruple: # File lib/bcrypt.rb, line 161 161: def initialize(raw_hash) 162: if valid_hash?(raw_hash) 163: self.replace(raw_hash) 164: @version, @cost, @salt, @hash = split_hash(self) 165: else 166: raise Errors::InvalidHash.new("invalid hash") 167: end 168: end -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.