Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bugfix/devise #12

Merged
merged 3 commits into from
Oct 5, 2022
Merged

Bugfix/devise #12

merged 3 commits into from
Oct 5, 2022

Conversation

marcel-strzalka
Copy link
Owner

@marcel-strzalka marcel-strzalka commented Oct 5, 2022
edited
Loading

This PR:

  1. Updates devise mailer sender config.
  2. Changes default hashing algorithm from Bcrypt to Argon2 in order to avoid problems with passwords with too many bytes. More about this issue can be found here. I also removed support for salt in User model, because Argon2 similarly to Bcrypt, stores the salt in the password hash.
  3. Changes minimum password length to 10.
  4. Adds a workaround in order to fix broken flash messages in login and registration forms. More information about this workaround can be found here. TurboController and TurboFailureApp classes are a part of it.

Hashing with Argon2 was implemented with help of these 2 following gems:

  1. devise-encryptable
  2. devise-argon2

Edit: After talking with Rafał I was made aware of the fact that I shouldn't use devise-argon2 library, because it uses Argon2 hashing algorithms in an invalid way. Instead I decided to simply add a validation to User model that checks if the bytesize of password is not too long (Bcrypt will truncate any data after consuming 72 bytes, leading to potential problems).

@marcel-strzalka marcel-strzalka self-assigned this Oct 5, 2022
@marcel-strzalka
Disallow too long passwords for users.
298e834 
Devise default hashing algorithm Bcrypt uses only 72 bytes of
data in order to create a password hash. Rest of it is truncated,
leading to some potential serious security vulnerabilities.
kodowicz
kodowicz reviewed Oct 5, 2022
View reviewed changes
Copy link

@kodowicz kodowicz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👏🏽

config/initializers/devise.rb

# ==> Mailer Configuration
# Configure the e-mail address which will be shown in Devise::Mailer,
# note that it will be overwritten if you use your own mailer class
# with default "from" parameter.
config.mailer_sender = 'please-change-me-at-config-initializers-devise@example.com'
config.mailer_sender = 'manager@montecinema.com'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would store this email in env 🤔

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I'll leave that as it is for now and gonna get back to it when I prepare my app for deployment.

@marcel-strzalka marcel-strzalka merged commit 1c984e2 into main Oct 5, 2022
@marcel-strzalka marcel-strzalka deleted the bugfix/devise branch October 5, 2022 12:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kodowicz kodowicz kodowicz left review comments

Assignees

@marcel-strzalka marcel-strzalka

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@marcel-strzalka @kodowicz