@@ -13,3 +13,5 @@

 # Ignore all logfiles and tempfiles.

 /log/*.log

 /tmp

+

+/config/initializers/secret_token.rb

\ No newline at end of file

@@ -5,10 +5,11 @@ gem 'rails', '~> 3.2.11'

 # Bundle edge Rails instead:

 # gem 'rails', :git => 'git://github.com/rails/rails.git'

-gem "mongoid", "~> 3.0.20"

-gem "xmpp4r", "~> 0.5"

-gem "thin", "~> 1.5.0"

-gem "websocket-rails", "~> 0.4.3"

+gem 'mongoid', '~> 3.0.20'

+gem 'xmpp4r', '~> 0.5'

+gem 'thin', '~> 1.5.0'

+gem 'websocket-rails', '~> 0.4.3'

+gem 'bcrypt-ruby'

 # Gems used only for assets and not required

 # in production environments by default.

@@ -17,7 +18,7 @@ group :assets do

   gem 'coffee-rails', '~> 3.2.1'

   gem 'normalize-rails'

   gem 'compass-rails'

-  gem "rails-backbone"

+  gem 'rails-backbone'

   gem 'haml_coffee_assets'

   #gem "marionette-rails", "~> 0.10.2"

@@ -37,28 +38,25 @@ group :development do

 end

 group :test do

-	gem "minitest"

+	gem 'minitest'

 	gem 'minitest-reporters', '>= 0.5.0'

 	gem 'test-unit'

 	gem 'timecop'

-	gem "rspec-rails"

-	gem "capybara"

-	gem "launchy"

-	gem "factory_girl_rails"

+	gem 'rspec-rails'

+	gem 'capybara'

+	gem 'launchy'

+	gem 'factory_girl_rails'

     gem 'guard-spork'

     gem 'spork'

-    gem "phantomjs-binaries"

-    gem "casperjs"

+    gem 'phantomjs-binaries'

+    gem 'casperjs'

 end

 gem 'jquery-rails'

-gem "haml", "~> 3.1.7"

-gem "haml-rails", "~> 0.3.5"

+gem 'haml', '~> 3.1.7'

+gem 'haml-rails', '~> 0.3.5'

 gem 'i18n-js'

-# To use ActiveModel has_secure_password

-# gem 'bcrypt-ruby', '~> 3.0.0'

-

 # To use Jbuilder templates for JSON

 # gem 'jbuilder'

@@ -31,6 +31,7 @@ GEM

     addressable (2.3.3)

     ansi (1.4.3)

     arel (3.0.2)

+    bcrypt-ruby (3.0.1)

     better_errors (0.7.2)

       coderay (>= 1.0.0)

       erubis (>= 2.6.6)

@@ -262,6 +263,7 @@ PLATFORMS

   ruby

 DEPENDENCIES

+  bcrypt-ruby

   better_errors

   binding_of_caller

   capistrano

@@ -27,28 +27,37 @@ class ApplicationController < ActionController::Base

             user_id = @token.user_id

             @token.delete

         else

-            user_id = !user_credentials ? nil : create_new_user(user_credentials)

+            user_id = nil

         end

         @token = Token.new

-        save_session(user_id)

+        save_session(user_id, user_credentials)

     end

-    def save_session(user_id)

-        session[:token] = Token.generate_token()

+    private

+

+    def save_session(user_id, user_credentials)

+        session[:token]      = Token.generate_token()

         session[:created_at] = Time.now

-        session[:ip] = request.remote_ip

+        session[:ip]         = request.remote_ip

+

+        if user_credentials

+            session[:users] = {} unless session[:users]

+

+            encrypted_pass = Security::encrypt(user_credentials[:password])

+            cookies[:key] = Security::cipher_key

+            cookies[:iv]  = Security::cipher_iv

+

+            session[:users][user_credentials[:jid]] = encrypted_pass

+        end

         @token.save_session(session, user_id)

     end

     def create_new_user(user_credentials)

         jid  = user_credentials[:jid]

-        pass = user_credentials[:password]

-

         user = User.existing_jid(jid) || User.create_jid(jid)

-        user.update_pass(jid, pass)

         user.id

     end

@@ -4,8 +4,6 @@ class SessionsController < ApplicationController

 	end

 	def create

-		#require_dependency "signin.rb"

-

 		begin

 			Signin.try_login(params[:jid].downcase, params[:password])

 		rescue Signin::LoginError

@@ -24,11 +24,21 @@ class WsRosterController < WsController

     def connect

         initialize_storage()

-        clients = Token.fing_user_accounts_having_to_token(session[:token])

+        # TODO: Pouzit najprv:

+        # clients = Token.fing_user_accounts_having_to_token(session[:token])

+        # ale toto, az ked budem mat dokonceny multiaccount (settings a popup)

+        cookies = env['rack.request.cookie_hash'] # TODO: nahlasit bug na websocket-rails, lebo sa neda pristupit ku `cookies'

+        cipher_key = cookies['key']

+        cipher_iv = cookies['iv']

+

+        clients = session[:users].map do |jid, encrypted_pass|

+            decrypted_pass = Security::decrypt(encrypted_pass, cipher_key, cipher_iv)

+            {jid: jid, pass: decrypted_pass}

+        end

-        clients.each do |credentials|

+        clients.each do |client|

             begin

-                client = Signin.try_login(credentials['jid'], credentials['pass'])

+                client = Signin.try_login(client[:jid], client[:pass])

                 connection_store[:clients] << client

             rescue Signin::LoginError

                 send_message 'app.client.cannot_connect', true

new file mode 100644

@@ -0,0 +1,43 @@

+require 'bcrypt'

+

+module Security

+    mattr_reader :cipher_iv, :cipher_key

+

+    def self.encrypt(unencrypted_message, password = nil)

+        cipher = OpenSSL::Cipher::Cipher.new('aes-256-cbc')

+        cipher.encrypt()

+

+        pass = password ? password : generate_token()

+        cipher.key = @@cipher_key = Digest::SHA1.hexdigest(pass)

+        cipher.iv  = @@cipher_iv  = cipher.random_iv

+

+        encrypted = cipher.update(unencrypted_message)

+        encrypted << cipher.final

+    end

+

+    def self.decrypt(encrypted_message, key, iv)

+        cipher = OpenSSL::Cipher::Cipher.new('aes-256-cbc')

+        cipher.decrypt()

+

+        cipher.key = @@cipher_key = key

+        cipher.iv  = @@cipher_iv = iv

+

+        begin

+            decrypted = cipher.update(encrypted_message)

+            decrypted << cipher.final

+        rescue

+            decrypted = ''

+        end

+

+        decrypted

+    end

+

+    def self.generate_token()

+        BCrypt::Engine.generate_salt()

+    end

+

+    def self.save_cookies

+        cookies[:key] = @@cipher_key

+        cookies[:iv]  = @@cipher_iv

+    end

+end

\ No newline at end of file

@@ -43,7 +43,7 @@ module Xmpp

     config.encoding = "utf-8"

     # Configure sensitive parameters which will be filtered from the log file.

-    config.filter_parameters += [:password]

+    config.filter_parameters += [:password, :users]

     # Enable escaping HTML in JSON.

     config.active_support.escape_html_entities_in_json = true

@@ -4,4 +4,11 @@

 # If you change this key, all old signed cookies will become invalid!

 # Make sure the secret is at least 30 characters and all random,

 # no regular words or you'll be exposed to dictionary attacks.

-Xmpp::Application.config.secret_token = '48c49768f9ec3134de5f76e352f13bf8fd66252d67f6d285c1c6de8457f0499075975aaaef1c32be9d596120302e8e3f7b6200c207835463ecdbb6c1610705c2'

+

+if Rails.env == 'development'

+    Xmpp::Application.config.secret_token = '48c49768f9ec3134de5f76e352f13bf8fd66258941sa5d489g4fhj8k4uk8499075975aaaef1c32be9d596120302e8e3f7b6200c207835463ecdbb6c1610705c2'

+elsif Rails.env == 'test'

+    Xmpp::Application.config.secret_token = '48c49768f9ec3134de5f76e352f13bf8fd66252d67f6d285c1c6de8457f0499075975aaaesdjfdsaf84dasf4das89f47d44hgf7yuuy35463ecdbb6c1610705c2'

+else

+    Xmpp::Application.config.secret_token = '8as5dg8fd4s5f76e352f13bf8fd66289dsa41s4tyijk8uy494j4e8457f0499075975aaaef89asd4302e8e3f7b6200c207835463ecdbb6cugsadbfy31610705c2'

+end