Add a devise bcrypt encryptor for migrations to other hashing algorithms

tneems · 29decibel · commit 82f56d92c97a · 2023-01-24T09:20:24.000-08:00
diff --git a/Changelog.md b/Changelog.md
@@ -3,6 +3,7 @@
 * Support Rails 4.1 - 7.0, dropped support for Rails <= 4.0. (same support as Devise as of v4.8)
 * Support Ruby 2.1 - 3.1, dropped support for Ruby <= 2.0. (same support as Devise as of v4.8)
 * Add support to roll legacy encryptors
+* Add support for rolling from Devise BCrypt
 
 ### 0.2.0
 
diff --git a/lib/devise/encryptable/encryptable.rb b/lib/devise/encryptable/encryptable.rb
@@ -22,6 +22,7 @@ module Encryptors
       autoload :AuthlogicSha512, 'devise/encryptable/encryptors/authlogic_sha512'
       autoload :Base, 'devise/encryptable/encryptors/base'
       autoload :ClearanceSha1, 'devise/encryptable/encryptors/clearance_sha1'
+      autoload :DeviseBcrypt, 'devise/encryptable/encryptors/devise_bcrypt'
       autoload :Pbkdf2, 'devise/encryptable/encryptors/pbkdf2'
       autoload :RestfulAuthenticationSha1, 'devise/encryptable/encryptors/restful_authentication_sha1'
       autoload :Sha1, 'devise/encryptable/encryptors/sha1'
diff --git a/lib/devise/encryptable/encryptors/devise_bcrypt.rb b/lib/devise/encryptable/encryptors/devise_bcrypt.rb
@@ -0,0 +1,33 @@
+require 'bcrypt'
+
+begin
+  module Devise
+    module Encryptable
+      module Encryptors
+        # Adapted from
+        # https://github.com/heartcombo/devise/blob/8593801130f2df94a50863b5db535c272b00efe1/lib/devise/encryptor.rb
+        class DeviseBcrypt < Base
+          def self.compare(hashed_password, password, stretches, _salt, pepper)
+            return false if hashed_password.blank?
+            bcrypt = ::BCrypt::Password.new(hashed_password)
+            if pepper.present?
+              password = "#{password}#{pepper}"
+            end
+            password = ::BCrypt::Engine.hash_secret(password, bcrypt.salt)
+            Devise.secure_compare(password, hashed_password)
+          rescue BCrypt::Errors::InvalidHash
+            # this probably means the password has already been migrated
+            false
+          end
+
+          def self.digest(password, stretches, _salt, pepper)
+            if pepper.present?
+              password = "#{password}#{pepper}"
+            end
+            ::BCrypt::Password.create(password, cost: stretches).to_s
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/test/devise/encryptable/encryptors_test.rb b/test/devise/encryptable/encryptors_test.rb
@@ -1,4 +1,5 @@
 require "test_helper"
+require "ostruct"
 
 class Encryptors < ActiveSupport::TestCase
   include Support::Swappers
@@ -21,6 +22,44 @@ class Encryptors < ActiveSupport::TestCase
     assert_equal clearance, encryptor
   end
 
+  test 'Devise can verify passwords generated by DeviseBcrypt' do
+    password = '123mudar'
+    klass = OpenStruct.new(pepper: '65c58472c207c829f28c68619d3e3aefed18ab3f', stretches: 10)
+
+    hashed_password = Devise::Encryptable::Encryptors::DeviseBcrypt.digest(password, klass.stretches, nil, klass.pepper)
+
+    assert Devise::Encryptor.compare(klass, hashed_password, password)
+  end
+
+  test 'DeviseBcrypt can verify bcrypt hashes created by Devise' do
+    password = '123mudar'
+    klass = OpenStruct.new(pepper: '65c58472c207c829f28c68619d3e3aefed18ab3f', stretches: 10)
+
+    devise_hash = Devise::Encryptor.digest(klass, password)
+
+    assert Devise::Encryptable::Encryptors::DeviseBcrypt.compare(devise_hash, password, klass.stretches, nil, klass.pepper)
+  end
+
+  test 'Devise fails to verify passwords generated by DeviseBcrypt when the password is wrong' do
+    password = '123mudar'
+    different_password = 'theskyisfalling123'
+    klass = OpenStruct.new(pepper: '65c58472c207c829f28c68619d3e3aefed18ab3f', stretches: 10)
+
+    hashed_password = Devise::Encryptable::Encryptors::DeviseBcrypt.digest(password, klass.stretches, nil, klass.pepper)
+
+    refute Devise::Encryptor.compare(klass, hashed_password, different_password)
+  end
+
+  test 'DeviseBcrypt fails to verify bcrypt hashes created by Devise when the password is wrong' do
+    password = '123mudar'
+    different_password = 'theskyisfalling123'
+    klass = OpenStruct.new(pepper: '65c58472c207c829f28c68619d3e3aefed18ab3f', stretches: 10)
+
+    devise_hash = Devise::Encryptor.digest(klass, password)
+
+    refute Devise::Encryptable::Encryptors::DeviseBcrypt.compare(devise_hash, different_password, klass.stretches, nil, klass.pepper)
+  end
+
   test 'digest should raise NotImplementedError if not implemented in subclass' do
     c = Class.new(Devise::Encryptable::Encryptors::Base)
     assert_raise(NotImplementedError) do
