From e7c30151d441a57958468951c25222396112dc16 Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 20:28:15 -0400 Subject: [PATCH 01/15] added token to users model and generate token method to users controller --- app/models/user.rb | 6 ++++++ db/migrate/20140312002642_add_auth_token_to_users.rb | 5 +++++ db/schema.rb | 3 ++- 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 db/migrate/20140312002642_add_auth_token_to_users.rb diff --git a/app/models/user.rb b/app/models/user.rb index 2af7dc2..909fb64 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -81,5 +81,11 @@ private end end end + + def generate_token(column) + begin + self[column] = SecureRandom.urlsafe_base64 + end while User.exists?(column => self[column]) + end end diff --git a/db/migrate/20140312002642_add_auth_token_to_users.rb b/db/migrate/20140312002642_add_auth_token_to_users.rb new file mode 100644 index 0000000..2c83ac1 --- /dev/null +++ b/db/migrate/20140312002642_add_auth_token_to_users.rb @@ -0,0 +1,5 @@ +class AddAuthTokenToUsers < ActiveRecord::Migration + def change + add_column :users, :auth_token, :string + end +end diff --git a/db/schema.rb b/db/schema.rb index b7ded3a..2ec1d36 100755 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended to check this file into your version control system. -ActiveRecord::Schema.define(:version => 20131113200708) do +ActiveRecord::Schema.define(:version => 20140312002642) do create_table "benefits", :force => true do |t| t.datetime "created_at", :null => false @@ -83,6 +83,7 @@ ActiveRecord::Schema.define(:version => 20131113200708) do t.integer "user_id" t.datetime "created_at", :null => false t.datetime "updated_at", :null => false + t.string "auth_token" end create_table "work_infos", :force => true do |t| From 4e6006dcc88049a3fbcb45bc6ed96d74371b3f41 Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 20:29:43 -0400 Subject: [PATCH 02/15] added before_create generate token to user model --- app/models/user.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/user.rb b/app/models/user.rb index 909fb64..5543fe2 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -23,7 +23,7 @@ class User < ActiveRecord::Base has_one :work_info, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy has_many :performance, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy has_many :messages, :foreign_key => :receiver_id, :primary_key => :user_id, :dependent => :destroy - + before_create { generate_token(:auth_token) } def build_benefits_data build_retirement(POPULATE_RETIREMENTS.shuffle.first) From a707e756627e218437cd1bcc32489b484ec5bfa8 Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 20:31:32 -0400 Subject: [PATCH 03/15] added cookies.permanent in replacement of session --- app/controllers/sessions_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 3f84173..b69a820 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -19,7 +19,7 @@ class SessionsController < ApplicationController end if user - session[:user_id] = user.user_id if User.where(:user_id => user.user_id).exists? + cookies.permanent[:auth_token = user.auth_token ] if User.where(:user_id => user.user_id).exists? redirect_to path else # Removed this code, just doesn't seem specific enough! From 015b36d379c7362744de583088b570171425f4e5 Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 20:32:12 -0400 Subject: [PATCH 04/15] added cookie delete to session destroy method --- app/controllers/sessions_controller.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index b69a820..923b939 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -30,6 +30,7 @@ class SessionsController < ApplicationController end def destroy + cookies.delete(:auth_token) reset_session redirect_to root_path end From 18a1e219b7b6fa6ebcda1bdca541d5369e9ccaa1 Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 20:34:47 -0400 Subject: [PATCH 05/15] added rememberme checkbox to new session form --- app/views/sessions/new.html.erb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb index f559a6e..7ed1272 100755 --- a/app/views/sessions/new.html.erb +++ b/app/views/sessions/new.html.erb @@ -25,6 +25,11 @@ <%= submit_tag "Login", {:class => "btn btn-info btn-large pull-right"} %> + +
+ <%= check_box_tag :remember_me, 1, params[:remember_me] %> + <%= label_tag :remember_me %> +
<% end %> From a5c4dc37a2161baaab1689ceaecef5e77b31a964 Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 20:38:26 -0400 Subject: [PATCH 06/15] added logic in sessions controller for rememberme checkbox --- app/controllers/sessions_controller.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 923b939..777bf6e 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -19,7 +19,11 @@ class SessionsController < ApplicationController end if user - cookies.permanent[:auth_token = user.auth_token ] if User.where(:user_id => user.user_id).exists? + if params[:remember_me] + cookies.permanent[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? + else + cookies[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? + end redirect_to path else # Removed this code, just doesn't seem specific enough! From 6a4bc922bd491d10fba49b4a82f8846c63b46d8d Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 20:40:10 -0400 Subject: [PATCH 07/15] added user lookup in application controller by auth_token --- app/controllers/application_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 7590751..ce73728 100755 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -9,7 +9,7 @@ class ApplicationController < ActionController::Base private def current_user - @current_user ||= User.find_by_user_id(session[:user_id].to_s) + @current_user ||= User.find_by_auth_token!(cookies[:auth_token].to_s) end def authenticated From b101c286ce11c65e025419870a3dfc31681c3969 Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 20:54:38 -0400 Subject: [PATCH 08/15] application controller edits --- app/controllers/application_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index ce73728..02b8df5 100755 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -9,7 +9,7 @@ class ApplicationController < ActionController::Base private def current_user - @current_user ||= User.find_by_auth_token!(cookies[:auth_token].to_s) + @current_user ||= User.find_by_auth_token(cookies[:auth_token].to_s) end def authenticated From b9f61b3686b843ee8759c2326c8f489664e04166 Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 21:18:48 -0400 Subject: [PATCH 09/15] stylistic elements --- app/views/sessions/new.html.erb | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb index 7ed1272..57c707d 100755 --- a/app/views/sessions/new.html.erb +++ b/app/views/sessions/new.html.erb @@ -21,15 +21,16 @@
- <%= link_to "Forgot Password", forgot_password_path, {:class=>"pull-left"}%> + <%= link_to "Forgot Password", forgot_password_path, {:class=>"pull-left"}%>
 +
+ +
<%= submit_tag "Login", {:class => "btn btn-info btn-large pull-right"} %>
-
- <%= check_box_tag :remember_me, 1, params[:remember_me] %> - <%= label_tag :remember_me %> -
<% end %> From 8daeee09f213c85f8bad267ccc26f7e5bd8177eb Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 14 Mar 2014 09:07:52 -0400 Subject: [PATCH 10/15] working on cleaning up and testing if I can push changes to a PR --- app/controllers/application_controller.rb | 2 +- app/controllers/sessions_controller.rb | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 02b8df5..c8605d7 100755 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -9,7 +9,7 @@ class ApplicationController < ActionController::Base private def current_user - @current_user ||= User.find_by_auth_token(cookies[:auth_token].to_s) + @current_user ||= (User.find_by_auth_token(cookies[:auth_token].to_s) || User.find_by_user_id(session[:user_id].to_s)) end def authenticated diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 777bf6e..339cde8 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -22,7 +22,8 @@ class SessionsController < ApplicationController if params[:remember_me] cookies.permanent[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? else - cookies[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? + session[:user_id] = user.user_id if User.where(:user_id => user.user_id).exists? + #cookies[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? end redirect_to path else From ec8a187833116e702c93ecbdf85dae080d32d4d7 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 14 Mar 2014 12:50:45 -0400 Subject: [PATCH 11/15] fixed the checkbox layout, etc. --- app/views/sessions/new.html.erb | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb index 57c707d..816e2c3 100755 --- a/app/views/sessions/new.html.erb +++ b/app/views/sessions/new.html.erb @@ -20,16 +20,16 @@
- - <%= link_to "Forgot Password", forgot_password_path, {:class=>"pull-left"}%>
- -
- -
- <%= submit_tag "Login", {:class => "btn btn-info btn-large pull-right"} %> -
+ + <%= link_to "Forgot Password", forgot_password_path, {:class=>"pull-left"}%>
+ <%= submit_tag "Login", {:class => "btn btn-info btn-large pull-right"} %> + + <%= check_box_tag :remember_me, 1, params[:remember_me], {:id => "form-terms", :class => "checkbox", :type => "checkbox"} %> + Remember + + + +
From d0e825fc175976f46cd8b403bf02bb8205bed6c0 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 14 Mar 2014 14:00:51 -0400 Subject: [PATCH 12/15] making sure this is up to date --- app/controllers/application_controller.rb | 5 ++- app/controllers/sessions_controller.rb | 4 +-- app/models/key_management.rb | 1 + app/models/user.rb | 37 +++++++++++++++++++++-- 4 files changed, 40 insertions(+), 7 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index c8605d7..56ad260 100755 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -9,7 +9,10 @@ class ApplicationController < ActionController::Base private def current_user - @current_user ||= (User.find_by_auth_token(cookies[:auth_token].to_s) || User.find_by_user_id(session[:user_id].to_s)) + @current_user ||= ( + User.find_by_auth_token(cookies[:auth_token].to_s) || + User.find_by_user_id(session[:user_id].to_s) + ) end def authenticated diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 339cde8..a13bbc7 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -8,7 +8,6 @@ class SessionsController < ApplicationController redirect_to home_dashboard_index_path if current_user end - def create path = params[:url].present? ? params[:url] : home_dashboard_index_path begin @@ -20,10 +19,9 @@ class SessionsController < ApplicationController if user if params[:remember_me] - cookies.permanent[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? + cookies.permanent[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? else session[:user_id] = user.user_id if User.where(:user_id => user.user_id).exists? - #cookies[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? end redirect_to path else diff --git a/app/models/key_management.rb b/app/models/key_management.rb index 80bf527..174b80c 100644 --- a/app/models/key_management.rb +++ b/app/models/key_management.rb @@ -1,5 +1,6 @@ class KeyManagement < ActiveRecord::Base attr_accessible :iv, :user_id belongs_to :work_info + belongs_to :user end diff --git a/app/models/user.rb b/app/models/user.rb index 5543fe2..df0f140 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -64,8 +64,6 @@ private end =end - - def assign_user_id unless @skip_user_id_assign.present? || self.user_id.present? user = User.order("user_id").last @@ -82,9 +80,42 @@ private end end + # Added a re-usable encryption routine, shouldn't be an issue! + def encrypt_sensitive_value(val="") + aes = OpenSSL::Cipher::Cipher.new(cipher_type) + aes.encrypt + aes.key = key + aes.iv = iv if iv != nil + #self.encrypted_ssn = aes.update(self.SSN) + aes.final + #self.SSN = nil + end + + def decrypt_ssn + aes = OpenSSL::Cipher::Cipher.new(cipher_type) + aes.decrypt + aes.key = key + aes.iv = iv if iv != nil + #aes.update(self.encrypted_ssn) + aes.final + end + + # Should be able to just re-use the same key we already have! + def key + raise "Key Missing" if !(KEY) + KEY + end + + def iv + raise "No IV for this User" if !(self.key_management.iv) + #self.key_management.iv + end + + def cipher_type + 'aes-256-cbc' + end + def generate_token(column) begin - self[column] = SecureRandom.urlsafe_base64 + #self[column] = end while User.exists?(column => self[column]) end From 7823eadf3cd8086c98a07c19e26a74363c39fde0 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 14 Mar 2014 16:32:44 -0400 Subject: [PATCH 13/15] first round of tests look okay, now we can re-use this function :-) --- app/models/user.rb | 38 ++++---------------------------- config/initializers/constants.rb | 4 +++- lib/encryption.rb | 36 ++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+), 35 deletions(-) create mode 100644 lib/encryption.rb diff --git a/app/models/user.rb b/app/models/user.rb index b2ccf52..05eb101 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1,4 +1,7 @@ +require 'encryption' + class User < ActiveRecord::Base + attr_accessible :email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation validates :password, :presence => true, :confirmation => true, @@ -87,42 +90,9 @@ private end end - # Added a re-usable encryption routine, shouldn't be an issue! - def encrypt_sensitive_value(val="") - aes = OpenSSL::Cipher::Cipher.new(cipher_type) - aes.encrypt - aes.key = key - aes.iv = iv if iv != nil - #self.encrypted_ssn = aes.update(self.SSN) + aes.final - #self.SSN = nil - end - - def decrypt_ssn - aes = OpenSSL::Cipher::Cipher.new(cipher_type) - aes.decrypt - aes.key = key - aes.iv = iv if iv != nil - #aes.update(self.encrypted_ssn) + aes.final - end - - # Should be able to just re-use the same key we already have! - def key - raise "Key Missing" if !(KEY) - KEY - end - - def iv - raise "No IV for this User" if !(self.key_management.iv) - #self.key_management.iv - end - - def cipher_type - 'aes-256-cbc' - end - def generate_token(column) begin - #self[column] = + self[column] = Encryption.encrypt_sensitive_value(self.user_id) end while User.exists?(column => self[column]) end diff --git a/config/initializers/constants.rb b/config/initializers/constants.rb index 7fdcd8f..086522f 100644 --- a/config/initializers/constants.rb +++ b/config/initializers/constants.rb @@ -1 +1,3 @@ -ACCESS_TOKEN_SALT = "S4828341189aefiasd#ASDF" \ No newline at end of file +ACCESS_TOKEN_SALT = "S4828341189aefiasd#ASDF" + +RG_IV = "PPKLKAJDKGHALDJL482823458028" \ No newline at end of file diff --git a/lib/encryption.rb b/lib/encryption.rb new file mode 100644 index 0000000..defa525 --- /dev/null +++ b/lib/encryption.rb @@ -0,0 +1,36 @@ +module Encryption + + # Added a re-usable encryption routine, shouldn't be an issue! + def self.encrypt_sensitive_value(val="") + aes = OpenSSL::Cipher::Cipher.new(cipher_type) + aes.encrypt + aes.key = key + aes.iv = iv if iv != nil + new_val = aes.update("#{val}") + aes.final + Base64.strict_encode64(new_val).encode('utf-8') + end + + def self.decrypt_sensitive_value(val="") + aes = OpenSSL::Cipher::Cipher.new(cipher_type) + aes.decrypt + aes.key = key + aes.iv = iv if iv != nil + decoded = Base64.strict_decode64("#{val}") + aes.update("#{decoded}") + aes.final + end + + # Should be able to just re-use the same key we already have! + def self.key + raise "Key Missing" if !(KEY) + KEY + end + + def self.iv + RG_IV + end + + def self.cipher_type + 'aes-256-cbc' + end + +end \ No newline at end of file From 0a647cbbe6b1000f3ef4d1d81cf032275f9d1725 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 14 Mar 2014 16:53:44 -0400 Subject: [PATCH 14/15] this appears to fix the issue of our test cases breaking. I had specified that if the rails env was a dev env, the key would be a certain value. Instead, it has been changed to any env other than prod --- config/initializers/key.rb | 4 ++-- lib/encryption.rb | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/config/initializers/key.rb b/config/initializers/key.rb index 5f43875..89022ee 100644 --- a/config/initializers/key.rb +++ b/config/initializers/key.rb @@ -1,5 +1,5 @@ if Rails.env.production? # Specify env variable/location/etc. to retrieve key from -elsif Rails.env.development? +else KEY = "123456789101112123456789101112123456789101112" -end \ No newline at end of file +end diff --git a/lib/encryption.rb b/lib/encryption.rb index defa525..a409e37 100644 --- a/lib/encryption.rb +++ b/lib/encryption.rb @@ -1,3 +1,5 @@ +require './config/initializers/key' + module Encryption # Added a re-usable encryption routine, shouldn't be an issue! From caaa3ba96df8fcfd98ba095c4479c25424d2fba8 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 14 Mar 2014 16:57:55 -0400 Subject: [PATCH 15/15] commented out unused spec tests as well as removed unnecessary require statement --- lib/encryption.rb | 2 -- spec/controllers/api/v1/users_controller_spec.rb | 3 ++- spec/helpers/api/v1/users_helper_spec.rb | 3 ++- spec/helpers/password_resets_helper_spec.rb | 3 ++- spec/views/password_resets/new.html.erb_spec.rb | 3 ++- 5 files changed, 8 insertions(+), 6 deletions(-) diff --git a/lib/encryption.rb b/lib/encryption.rb index a409e37..defa525 100644 --- a/lib/encryption.rb +++ b/lib/encryption.rb @@ -1,5 +1,3 @@ -require './config/initializers/key' - module Encryption # Added a re-usable encryption routine, shouldn't be an issue! diff --git a/spec/controllers/api/v1/users_controller_spec.rb b/spec/controllers/api/v1/users_controller_spec.rb index 184b048..9b5309e 100644 --- a/spec/controllers/api/v1/users_controller_spec.rb +++ b/spec/controllers/api/v1/users_controller_spec.rb @@ -1,5 +1,6 @@ -require 'spec_helper' +=begin require 'spec_helper' describe Api::V1::UsersController do end +=end \ No newline at end of file diff --git a/spec/helpers/api/v1/users_helper_spec.rb b/spec/helpers/api/v1/users_helper_spec.rb index 13a6067..9619df0 100644 --- a/spec/helpers/api/v1/users_helper_spec.rb +++ b/spec/helpers/api/v1/users_helper_spec.rb @@ -1,4 +1,4 @@ -require 'spec_helper' +=begin require 'spec_helper' # Specs in this file have access to a helper object that includes # the Api::V1::UsersHelper. For example: @@ -13,3 +13,4 @@ require 'spec_helper' describe Api::V1::UsersHelper do pending "add some examples to (or delete) #{__FILE__}" end +=end \ No newline at end of file diff --git a/spec/helpers/password_resets_helper_spec.rb b/spec/helpers/password_resets_helper_spec.rb index a0df3dd..b87346e 100644 --- a/spec/helpers/password_resets_helper_spec.rb +++ b/spec/helpers/password_resets_helper_spec.rb @@ -1,4 +1,4 @@ -require 'spec_helper' +=begin require 'spec_helper' # Specs in this file have access to a helper object that includes # the PasswordResetsHelper. For example: @@ -13,3 +13,4 @@ require 'spec_helper' describe PasswordResetsHelper do pending "add some examples to (or delete) #{__FILE__}" end +=end \ No newline at end of file diff --git a/spec/views/password_resets/new.html.erb_spec.rb b/spec/views/password_resets/new.html.erb_spec.rb index 38c6853..fcb6721 100644 --- a/spec/views/password_resets/new.html.erb_spec.rb +++ b/spec/views/password_resets/new.html.erb_spec.rb @@ -1,5 +1,6 @@ -require 'spec_helper' +=begin require 'spec_helper' describe "password_resets/new.html.erb" do pending "add some examples to (or delete) #{__FILE__}" end +=end \ No newline at end of file