GitList
Browse code

Sifrovanie hesiel v session pomocou cookies

Cinan Rakosnik authored on 14/04/2013 at 21:50:46
Showing 5 changed files
Gemfile
History View file @ 882090f
... ... 
@@ -5,10 +5,11 @@ gem 'rails', '~> 3.2.11'
5 5 
 # Bundle edge Rails instead:
6 6 
 # gem 'rails', :git => 'git://github.com/rails/rails.git'
7 7
8 
-gem "mongoid", "~> 3.0.20"
9 
-gem "xmpp4r", "~> 0.5"
10 
-gem "thin", "~> 1.5.0"
11 
-gem "websocket-rails", "~> 0.4.3"
8 
+gem 'mongoid', '~> 3.0.20'
9 
+gem 'xmpp4r', '~> 0.5'
10 
+gem 'thin', '~> 1.5.0'
11 
+gem 'websocket-rails', '~> 0.4.3'
12 
+gem 'bcrypt-ruby'
12 13
13 14 
 # Gems used only for assets and not required
14 15 
 # in production environments by default.
... ... 
@@ -17,7 +18,7 @@ group :assets do
17 17 
   gem 'coffee-rails', '~> 3.2.1'
18 18 
   gem 'normalize-rails'
19 19 
   gem 'compass-rails'
20 
-  gem "rails-backbone"
20 
+  gem 'rails-backbone'
21 21 
   gem 'haml_coffee_assets'
22 22 
   #gem "marionette-rails", "~> 0.10.2"
23 23
... ... 
@@ -37,28 +38,25 @@ group :development do
37 37 
 end
38 38
39 39 
 group :test do
40 
-	gem "minitest"
40 
+	gem 'minitest'
41 41 
 	gem 'minitest-reporters', '>= 0.5.0'
42 42 
 	gem 'test-unit'
43 43 
 	gem 'timecop'
44 
-	gem "rspec-rails"
45 
-	gem "capybara"
46 
-	gem "launchy"
47 
-	gem "factory_girl_rails"
44 
+	gem 'rspec-rails'
45 
+	gem 'capybara'
46 
+	gem 'launchy'
47 
+	gem 'factory_girl_rails'
48 48 
     gem 'guard-spork'
49 49 
     gem 'spork'
50 
-    gem "phantomjs-binaries"
51 
-    gem "casperjs"
50 
+    gem 'phantomjs-binaries'
51 
+    gem 'casperjs'
52 52 
 end
53 53
54 54 
 gem 'jquery-rails'
55 
-gem "haml", "~> 3.1.7"
56 
-gem "haml-rails", "~> 0.3.5"
55 
+gem 'haml', '~> 3.1.7'
56 
+gem 'haml-rails', '~> 0.3.5'
57 57 
 gem 'i18n-js'
58 58
59 
-# To use ActiveModel has_secure_password
60 
-# gem 'bcrypt-ruby', '~> 3.0.0'
61 
-
62 59 
 # To use Jbuilder templates for JSON
63 60 
 # gem 'jbuilder'
64 61
Gemfile.lock
History View file @ 882090f
... ... 
@@ -31,6 +31,7 @@ GEM
31 31 
     addressable (2.3.3)
32 32 
     ansi (1.4.3)
33 33 
     arel (3.0.2)
34 
+    bcrypt-ruby (3.0.1)
34 35 
     better_errors (0.7.2)
35 36 
       coderay (>= 1.0.0)
36 37 
       erubis (>= 2.6.6)
... ... 
@@ -262,6 +263,7 @@ PLATFORMS
262 262 
   ruby
263 263
264 264 
 DEPENDENCIES
265 
+  bcrypt-ruby
265 266 
   better_errors
266 267 
   binding_of_caller
267 268 
   capistrano
app/controllers/application_controller.rb
History View file @ 882090f
... ... 
@@ -35,6 +35,8 @@ class ApplicationController < ActionController::Base
35 35 
         save_session(user_id, user_credentials)
36 36 
     end
37 37
38 
+    private
39 
+
38 40 
     def save_session(user_id, user_credentials)
39 41 
         session[:token]      = Token.generate_token()
40 42 
         session[:created_at] = Time.now
... ... 
@@ -42,7 +44,12 @@ class ApplicationController < ActionController::Base
42 42
43 43 
         if user_credentials
44 44 
             session[:users] = {} unless session[:users]
45 
-            session[:users][user_credentials[:jid]] = user_credentials[:password]
45 
+
46 
+            encrypted_pass = Security::encrypt(user_credentials[:password])
47 
+            cookies[:key] = Security::cipher_key
48 
+            cookies[:iv]  = Security::cipher_iv
49 
+
50 
+            session[:users][user_credentials[:jid]] = encrypted_pass
46 51 
         end
47 52
48 53 
         @token.save_session(session, user_id)
app/controllers/ws_roster_controller.rb
History View file @ 882090f
... ... 
@@ -27,11 +27,18 @@ class WsRosterController < WebsocketRails::BaseController
27 27 
         # TODO: Pouzit najprv:
28 28 
         # clients = Token.fing_user_accounts_having_to_token(session[:token])
29 29 
         # ale toto, az ked budem mat dokonceny multiaccount (settings a popup)
30 
-        clients = session[:users]
30 
+        cookies = env['rack.request.cookie_hash']
31 
+        cipher_key = cookies['key']
32 
+        cipher_iv = cookies['iv']
31 33
32 
-        clients.each do |jid, pass|
34 
+        clients = session[:users].map do |jid, encrypted_pass|
35 
+            decrypted_pass = Security::decrypt(encrypted_pass, cipher_key, cipher_iv)
36 
+            {jid: jid, pass: decrypted_pass}
37 
+        end
38 
+
39 
+        clients.each do |client|
33 40 
             begin
34 
-                client = Signin.try_login(jid, pass)
41 
+                client = Signin.try_login(client[:jid], client[:pass])
35 42 
                 connection_store[:clients] << client
36 43 
             rescue Signin::LoginError
37 44 
                 send_message 'app.client.cannot_connect', true
app/libs/security.rb
History View file @ 882090f
38 45 
new file mode 100644
... ... 
@@ -0,0 +1,37 @@
0 
+require 'bcrypt'
1 
+
2 
+module Security
3 
+    mattr_reader :cipher_iv, :cipher_key
4 
+
5 
+    def self.encrypt(unencrypted_message, password = nil)
6 
+        cipher = OpenSSL::Cipher::Cipher.new('aes-256-cbc')
7 
+        cipher.encrypt()
8 
+
9 
+        pass = password ? password : generate_token()
10 
+        cipher.key = @@cipher_key = Digest::SHA1.hexdigest(pass)
11 
+        cipher.iv  = @@cipher_iv  = cipher.random_iv
12 
+
13 
+        encrypted = cipher.update(unencrypted_message)
14 
+        encrypted << cipher.final
15 
+    end
16 
+
17 
+    def self.decrypt(encrypted_message, key, iv)
18 
+        cipher = OpenSSL::Cipher::Cipher.new('aes-256-cbc')
19 
+        cipher.decrypt()
20 
+
21 
+        cipher.key = @@cipher_key = key
22 
+        cipher.iv  = @@cipher_iv = iv
23 
+
24 
+        decrypted = cipher.update(encrypted_message)
25 
+        decrypted << cipher.final
26 
+    end
27 
+
28 
+    def self.generate_token()
29 
+        BCrypt::Engine.generate_salt()
30 
+    end
31 
+
32 
+    def self.save_cookies
33 
+        cookies[:key] = @@cipher_key
34 
+        cookies[:iv]  = @@cipher_iv
35 
+    end
36 
+end
0 37 
\ No newline at end of file