Merge pull request #97 from OWASP/pr-96

Pr 96
2014-03-14 16:58:52 -04:00
parent e49b43f899 caaa3ba96d
commit 419b5bbfdc
14 changed files with 88 additions and 19 deletions
@@ -9,7 +9,10 @@ class ApplicationController < ActionController::Base
  private

  def current_user
-    @current_user ||= User.find_by_user_id(session[:user_id].to_s)
+    @current_user ||= (
+      User.find_by_auth_token(cookies[:auth_token].to_s) || 
+      User.find_by_user_id(session[:user_id].to_s)
+    )
  end

  def authenticated
@@ -8,7 +8,6 @@ class SessionsController < ApplicationController
      redirect_to home_dashboard_index_path if current_user
  end
  
-
  def create
      path = params[:url].present? ? params[:url] : home_dashboard_index_path    
      begin
@@ -19,7 +18,11 @@ class SessionsController < ApplicationController
      end
      
      if user
-        session[:user_id] = user.user_id if User.where(:user_id => user.user_id).exists?
+        if params[:remember_me]
+          cookies.permanent[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists?
+        else
+          session[:user_id] = user.user_id if User.where(:user_id => user.user_id).exists?
+        end
        redirect_to path
      else
        # Removed this code, just doesn't seem specific enough!
@@ -30,6 +33,7 @@ class SessionsController < ApplicationController
  end
  
  def destroy
+    cookies.delete(:auth_token)
    reset_session
    redirect_to root_path
  end
@@ -1,5 +1,6 @@
 class KeyManagement < ActiveRecord::Base
  attr_accessible :iv, :user_id
  belongs_to :work_info
+  belongs_to :user
  
 end
@@ -1,4 +1,7 @@
+require 'encryption'
+
 class User < ActiveRecord::Base
+
  attr_accessible :email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation
  validates :password, :presence => true,
                       :confirmation => true,
@@ -23,7 +26,7 @@ class User < ActiveRecord::Base
  has_one :work_info, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
  has_many :performance, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
  has_many :messages, :foreign_key => :receiver_id, :primary_key => :user_id, :dependent => :destroy
-
+  before_create { generate_token(:auth_token) }

  def build_benefits_data
    build_retirement(POPULATE_RETIREMENTS.shuffle.first)
@@ -71,8 +74,6 @@ private
   end
 =end  

-
-    
  def assign_user_id
     unless @skip_user_id_assign.present? || self.user_id.present?
      user = User.order("user_id").last
@@ -88,5 +89,11 @@ private
      end
    end
  end
+  
+  def generate_token(column)
+    begin
+      self[column] = Encryption.encrypt_sensitive_value(self.user_id)
+    end while User.exists?(column => self[column])
+  end

 end
@@ -20,11 +20,17 @@
          </div>

          <div class="actions">
-	 		<span class="checkbox-wrapper">
-            	<%= link_to "Forgot Password", forgot_password_path, {:class=>"pull-left"}%>
-			</span>	
-            <%= submit_tag "Login", {:class => "btn btn-info btn-large pull-right"} %>
-          </div>
+	 	
+            	<%= link_to "Forgot Password", forgot_password_path, {:class=>"pull-left"}%><br/>
+			 	<%= submit_tag "Login", {:class => "btn btn-info btn-large pull-right"} %>
+			<span class="checkbox-wrapper">
+			<%= check_box_tag :remember_me, 1, params[:remember_me], {:id => "form-terms", :class => "checkbox", :type => "checkbox"} %>
+				  <label class="checkbox-label" for="form-terms"><%#= check_box_tag :remember_me, 1, params[:remember_me] %> </label> <span class="label-text">Remember</span>
+				  <!--<label class="checkbox-label" for="form-terms"></label>-->
+		    	  
+			</span>
+           
+		  

          <div class="clearfix"></div>
          <% end %>
@@ -1 +1,3 @@
-ACCESS_TOKEN_SALT = "S4828341189aefiasd#ASDF"
+ACCESS_TOKEN_SALT = "S4828341189aefiasd#ASDF"
+
+RG_IV = "PPKLKAJDKGHALDJL482823458028"
@@ -1,5 +1,5 @@
 if Rails.env.production?
  # Specify env variable/location/etc. to retrieve key from
-elsif Rails.env.development?
+else
  KEY = "123456789101112123456789101112123456789101112"
-end
+end
@@ -0,0 +1,5 @@
+class AddAuthTokenToUsers < ActiveRecord::Migration
+  def change
+    add_column :users, :auth_token, :string
+  end
+end
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.

-ActiveRecord::Schema.define(:version => 20131113200708) do
+ActiveRecord::Schema.define(:version => 20140312002642) do

  create_table "benefits", :force => true do |t|
    t.datetime "created_at", :null => false
@@ -83,6 +83,7 @@ ActiveRecord::Schema.define(:version => 20131113200708) do
    t.integer  "user_id"
    t.datetime "created_at", :null => false
    t.datetime "updated_at", :null => false
+    t.string   "auth_token"
  end

  create_table "work_infos", :force => true do |t|
@@ -0,0 +1,36 @@
+module Encryption
+ 
+  # Added a re-usable encryption routine, shouldn't be an issue!
+  def self.encrypt_sensitive_value(val="")
+     aes = OpenSSL::Cipher::Cipher.new(cipher_type)
+     aes.encrypt
+     aes.key = key
+     aes.iv = iv if iv != nil
+     new_val = aes.update("#{val}") + aes.final
+     Base64.strict_encode64(new_val).encode('utf-8')
+  end
+  
+  def self.decrypt_sensitive_value(val="")
+     aes = OpenSSL::Cipher::Cipher.new(cipher_type)
+     aes.decrypt
+     aes.key = key
+     aes.iv = iv if iv != nil
+     decoded = Base64.strict_decode64("#{val}")
+     aes.update("#{decoded}") + aes.final
+  end
+  
+  # Should be able to just re-use the same key we already have!
+  def self.key
+    raise "Key Missing" if !(KEY)
+    KEY
+  end
+  
+  def self.iv
+    RG_IV
+  end
+  
+  def self.cipher_type
+    'aes-256-cbc'
+  end
+ 
+end
@@ -1,5 +1,6 @@
-require 'spec_helper'
+=begin require 'spec_helper'

 describe Api::V1::UsersController do

 end
+=end
@@ -1,4 +1,4 @@
-require 'spec_helper'
+=begin require 'spec_helper'

 # Specs in this file have access to a helper object that includes
 # the Api::V1::UsersHelper. For example:
@@ -13,3 +13,4 @@ require 'spec_helper'
 describe Api::V1::UsersHelper do
  pending "add some examples to (or delete) #{__FILE__}"
 end
+=end
@@ -1,4 +1,4 @@
-require 'spec_helper'
+=begin require 'spec_helper'

 # Specs in this file have access to a helper object that includes
 # the PasswordResetsHelper. For example:
@@ -13,3 +13,4 @@ require 'spec_helper'
 describe PasswordResetsHelper do
  pending "add some examples to (or delete) #{__FILE__}"
 end
+=end
@@ -1,5 +1,6 @@
-require 'spec_helper'
+=begin require 'spec_helper'

 describe "password_resets/new.html.erb" do
  pending "add some examples to (or delete) #{__FILE__}"
 end
+=end