sorcery icon indicating copy to clipboard operation
sorcery copied to clipboard

Published 20 hours ago verified publisher icon NoamB

`user.valid_password?` not work if encrypt provider is sha512 and `user.stretches` has specified

Open holysoros opened this issue 8 years ago • 3 comments

How to reproduce the bug

change the config/initializers/sorcery.rb as below:

user.stretches = 10
user.encryption_algorithm = :sha512

In rails console, create a user with password, for example 'secretpass'

Then exit the console;

Start rails console again, user.valid_password?(secretpass) will return false!

Problem Analysis

valid_password?(pass) in lib/sorcey/model.rb don't set stretches to value user specified. The set_encryption_attributes class method will set stretches, authenticate and encrypt will call the set_encryption_attributes class method, but valid_password? don't.

Proposed Solution

call set_encryption_attributes in authenticates_with_sorcery! as below:

module Sorcery
  module Model
    def authenticates_with_sorcery!
      ...
      ::Sorcery::Controller::Config.user_config.tap{|blk| blk.call(@sorcery_config) if blk}
      set_encryption_attributes
      ...
    end
  end
end

holysoros avatar Apr 20 '16 06:04 holysoros

Hi guys, I have the same problem, fixed in a similar way.

bitberry-dev avatar Nov 14 '21 12:11 bitberry-dev

I wasn't a huge fan of how this overwriting of a singleton config worked, so this will be changed in v1 to no longer be an issue. The config values will live on the instance of the hashing provider instead: sorcery-core/lib/sorcery/config.rb

@bitberry-dev if this is still an issue in the latest version of Sorcery (v0.16.1), can you please open an issue on the current repo? Sorcery/sorcery - Create new issue

joshbuker avatar Nov 15 '21 17:11 joshbuker

@athix Of course, I will re-check this bug soon and open a new issue

bitberry-dev avatar Nov 15 '21 22:11 bitberry-dev