Decryptor for bcrypt - ruby-on-rails

The title is pretty self explanatory. I'm not sure if this exists, as it would greatly compromise the security of bcrypt, but i'm using Devise in a rails app and forgot my password. However I can access the server and find the info. I can see the encrypted password and need to decrypt it.
I do not want alternate solutions to the problem, i just want a decryptor so I can get the password.

Why don't you just spin up a Rails console and re-assign your password manually?
u = User.find_by_username('myname')
u.password = u.password_confirmation = 'reset_password'
u.save
Usually something along those lines will work.

Related

Authlogic: How to prevent reuse of previous password?

how can you find out the user's past encrypted password to check if he is using the old password as the new one, in previous "Authlogic" versions it was easy to check, but in newer versions, I cannot find out the password hash, even if I know the old salt and the new password, is there a way to determine if the user is using the old password as the new one?
how can you .. check if [the user] is using the old password as the new one .. I cannot find out the password hash, even if I know the old salt and the new password ..
If you have always used the same crypto_provider, it should be fairly simple.
salt = current_user.password_salt
old_crypted_pw = current_user.crypted_password
new_plaintext_password = params[:new_password]
provider = User.crypto_provider
new_crypted_pw = provider.encrypt(new_plaintext_password, salt)
if new_crypted_pw == old_crypted_pw
raise 'Cannot reuse password'
# ...
Documentation of these methods can be found in authlogic/acts_as_authentic/password.rb.
If you are transitioning from one crypto provider to another (the transition_from_crypto_providers feature) then you must try to match against all User.crypto_providers.

How to check that old password is equal to that one in database

I want to make a change password in rails i want to enter the old password as a string and check it with the encrypted one in the database i am using Devise gem how can i do this
You want Devise's valid_password? method.
> user = User.find(1)
> user.valid_password?('invalidpassword')
=> false
> user.valid_password?('therealpassword')
=> true
Devise already provides you with this functionality. It should probably work out of the box using the edit_user_registration_path.
Have a look at https://github.com/plataformatec/devise/wiki/How-To%3a-Allow-users-to-edit-their-password to find some more information.

Should I accept a crypted password with AuthLogic?

Basically as the question asks.
The AuthLogic documentation for verify_password_method states:
The name of the method in your model used to verify the password. This should be an instance method. It should also be prepared to accept a raw password and a crytped password.
I'd like to support this, because it allows me to maintain our system's current masquerading behaviour without storing plain-text passwords like we have been in the past. However, it seems to me like allowing a simple string comparison to the crypted_password in the database is just as bad as storing the regular plain-text passwords.
Am I missing something here, or is there some other way to accept a crypted password in AuthLogic?
For reference, this is how I was going to write the valid_password? method:
def valid_password?(password, check_from_database = nil)
if password == self.crypted_password
true
else
super(password, check_from_database)
end
end
Ok, turns out that there's a much easier way to do this (although it seems horribly undocumented, and didn't turn up with a Google search of how to achieve this).
Authlogic::Session::Base.new(#user, true)
That line allows session creation without checking credentials. Obviously you should be careful with this since it assumes that the user has already identified themselves correctly - for my usage, since there is a check to ensure the current user is the admin user, it's safe.

How do I reset a user password from the console in Hobo/Rails

The rails framework Hobo is brilliant and automatically creates the first user as the admin user (unless you ask it not to). The problem I have is that running rails in development I can't remember what the password was. This should be trivial because I just run rails console, find the user admin = User.find :first and reset the password (trying)
admin.password = 'Anything1234'
admin.password_confirmation = admin.password
admin.save
>false
admin.errors
>{:current_password=>["is not correct"]}
I.e. the implication is that the variable current_password needs to be set correctly before I can change the existing password.
I'm afraid the Hobo documentation doesn't help in this case. Does anyone know the how to drive the Hobo user model to reset the password?
4 possible solutions:
1: run your app, and click on the forgot password link. The message will appear in your logs, so you don't need a mailer set up.
2: Just save without doing any validations:
admin.save(false)
EDIT: in Rails 3 this is
admin.save(:validate => false)
3: Another option is just to delete all users so you get your initial user entry screen back.
4: If you really want to run the validations, you can trigger the request_password_reset lifecycle:
admin.lifecycle.request_password_reset!(Guest.new)
then look in development log for the reset password key
u.lifecycle.reset_password!(Guest.new, :key => 'a0a2db1035065fa7ad5d46d35669d206aee73668', :password=>"test123", :password_confirmation=>"test123")
Yes, you need to set the current_password before you set the password and password_confirmation fields. This is to stop the user from changing the password without originally knowing the password.
Therefore, you would need to do something like this:
admin.current_password = 'password'
admin.password = 'Anything1234'
admin.password_confirmation = admin.password
admin.save

Use Authlogic with Typus

I'm switching to Typus because I prefer its UI over ActiveScaffold and I love the way you can set roles for the admin section. We need that.
However, where ActiveScaffold worked flawlessly with Authlogic, Typus doesn't. I'd like to combine the two anyway, but can't seem to find out how. Typus has very basic password encryption, but I can't write a crypto_provider for it, because it depends on a very simple Sha1-encryption of the salt and the password. Authlogic doesn't support that, because it doesn't send along the actual password.
I'd hate it if we had to use two User models for the front- and backend. I don't need Authlogic to be the authentication method for Typus, but they should both at least be able to compare the password with the crypted one.
Is there anyone out there who has worked around this issue?
Thank you.
I'm not entirely happy with it, but I think I've found an answer to my own question.
I've let Typus create the AdminUser, added a user_id to it and added this method to it and I call it in a before_save:
def sync_user
self.user ||= User.find_by_email(self.email)
if user = self.user
user.email = self.email
user.password = self.password
user.password_confirmation = self.password_confirmation
user.save
end
end
This seems to do the trick for me. I'd love to do it differently, but it works for now.

Resources