Merge pull request #97 from OWASP/pr-96

Pr 96

app/controllers/application_controller.rb

@@ -9,7 +9,10 @@ class ApplicationController < ActionController::Base
   private
 
   def current_user
-    @current_user ||= User.find_by_user_id(session[:user_id].to_s)
+    @current_user ||= (
+      User.find_by_auth_token(cookies[:auth_token].to_s) || 
+      User.find_by_user_id(session[:user_id].to_s)
+    )
   end
 
   def authenticated

app/controllers/sessions_controller.rb

@@ -8,7 +8,6 @@ class SessionsController < ApplicationController
       redirect_to home_dashboard_index_path if current_user
   end
   
-
   def create
       path = params[:url].present? ? params[:url] : home_dashboard_index_path    
       begin
@@ -19,7 +18,11 @@ class SessionsController < ApplicationController
       end
       
       if user
+        if params[:remember_me]
+          cookies.permanent[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists?
+        else
           session[:user_id] = user.user_id if User.where(:user_id => user.user_id).exists?
+        end
         redirect_to path
       else
         # Removed this code, just doesn't seem specific enough!
@@ -30,6 +33,7 @@ class SessionsController < ApplicationController
   end
   
   def destroy
+    cookies.delete(:auth_token)
     reset_session
     redirect_to root_path
   end

app/models/key_management.rb

@@ -1,5 +1,6 @@
 class KeyManagement < ActiveRecord::Base
   attr_accessible :iv, :user_id
   belongs_to :work_info
+  belongs_to :user
   
 end

app/models/user.rb

@@ -1,4 +1,7 @@
+require 'encryption'
+
 class User < ActiveRecord::Base
+
   attr_accessible :email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation
   validates :password, :presence => true,
                        :confirmation => true,
@@ -23,7 +26,7 @@ class User < ActiveRecord::Base
   has_one :work_info, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
   has_many :performance, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
   has_many :messages, :foreign_key => :receiver_id, :primary_key => :user_id, :dependent => :destroy
-
+  before_create { generate_token(:auth_token) }
 
   def build_benefits_data
     build_retirement(POPULATE_RETIREMENTS.shuffle.first)
@@ -71,8 +74,6 @@ private
    end
 =end  
 
-
-    
   def assign_user_id
      unless @skip_user_id_assign.present? || self.user_id.present?
       user = User.order("user_id").last
@@ -89,4 +90,10 @@ private
     end
   end
   
+  def generate_token(column)
+    begin
+      self[column] = Encryption.encrypt_sensitive_value(self.user_id)
+    end while User.exists?(column => self[column])
+  end
+
 end

app/views/sessions/new.html.erb

@@ -20,11 +20,17 @@
           </div>
 
           <div class="actions">
-	 		<span class="checkbox-wrapper">
+	 	
-            	<%= link_to "Forgot Password", forgot_password_path, {:class=>"pull-left"}%>
+            	<%= link_to "Forgot Password", forgot_password_path, {:class=>"pull-left"}%><br/>
-			</span>	
 			 	<%= submit_tag "Login", {:class => "btn btn-info btn-large pull-right"} %>
-          </div>
+			<span class="checkbox-wrapper">
+			<%= check_box_tag :remember_me, 1, params[:remember_me], {:id => "form-terms", :class => "checkbox", :type => "checkbox"} %>
+				  <label class="checkbox-label" for="form-terms"><%#= check_box_tag :remember_me, 1, params[:remember_me] %> </label> <span class="label-text">Remember</span>
+				  <!--<label class="checkbox-label" for="form-terms"></label>-->
+		    	  
+			</span>
+           
+		  
 
           <div class="clearfix"></div>
           <% end %>

config/initializers/constants.rb

@@ -1 +1,3 @@
 ACCESS_TOKEN_SALT = "S4828341189aefiasd#ASDF"
+
+RG_IV = "PPKLKAJDKGHALDJL482823458028"

config/initializers/key.rb

@@ -1,5 +1,5 @@
 if Rails.env.production?
   # Specify env variable/location/etc. to retrieve key from
-elsif Rails.env.development?
+else
   KEY = "123456789101112123456789101112123456789101112"
 end

db/migrate/20140312002642_add_auth_token_to_users.rb

@@ -0,0 +1,5 @@
+class AddAuthTokenToUsers < ActiveRecord::Migration
+  def change
+    add_column :users, :auth_token, :string
+  end
+end

db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.
 
-ActiveRecord::Schema.define(:version => 20131113200708) do
+ActiveRecord::Schema.define(:version => 20140312002642) do
 
   create_table "benefits", :force => true do |t|
     t.datetime "created_at", :null => false
@@ -83,6 +83,7 @@ ActiveRecord::Schema.define(:version => 20131113200708) do
     t.integer  "user_id"
     t.datetime "created_at", :null => false
     t.datetime "updated_at", :null => false
+    t.string   "auth_token"
   end
 
   create_table "work_infos", :force => true do |t|

lib/encryption.rb

@@ -0,0 +1,36 @@
+module Encryption
+ 
+  # Added a re-usable encryption routine, shouldn't be an issue!
+  def self.encrypt_sensitive_value(val="")
+     aes = OpenSSL::Cipher::Cipher.new(cipher_type)
+     aes.encrypt
+     aes.key = key
+     aes.iv = iv if iv != nil
+     new_val = aes.update("#{val}") + aes.final
+     Base64.strict_encode64(new_val).encode('utf-8')
+  end
+  
+  def self.decrypt_sensitive_value(val="")
+     aes = OpenSSL::Cipher::Cipher.new(cipher_type)
+     aes.decrypt
+     aes.key = key
+     aes.iv = iv if iv != nil
+     decoded = Base64.strict_decode64("#{val}")
+     aes.update("#{decoded}") + aes.final
+  end
+  
+  # Should be able to just re-use the same key we already have!
+  def self.key
+    raise "Key Missing" if !(KEY)
+    KEY
+  end
+  
+  def self.iv
+    RG_IV
+  end
+  
+  def self.cipher_type
+    'aes-256-cbc'
+  end
+ 
+end

spec/controllers/api/v1/users_controller_spec.rb

@@ -1,5 +1,6 @@
-require 'spec_helper'
+=begin require 'spec_helper'
 
 describe Api::V1::UsersController do
 
 end
+=end

spec/helpers/api/v1/users_helper_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper'
+=begin require 'spec_helper'
 
 # Specs in this file have access to a helper object that includes
 # the Api::V1::UsersHelper. For example:
@@ -13,3 +13,4 @@ require 'spec_helper'
 describe Api::V1::UsersHelper do
   pending "add some examples to (or delete) #{__FILE__}"
 end
+=end

spec/helpers/password_resets_helper_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper'
+=begin require 'spec_helper'
 
 # Specs in this file have access to a helper object that includes
 # the PasswordResetsHelper. For example:
@@ -13,3 +13,4 @@ require 'spec_helper'
 describe PasswordResetsHelper do
   pending "add some examples to (or delete) #{__FILE__}"
 end
+=end

spec/views/password_resets/new.html.erb_spec.rb

@@ -1,5 +1,6 @@
-require 'spec_helper'
+=begin require 'spec_helper'
 
 describe "password_resets/new.html.erb" do
   pending "add some examples to (or delete) #{__FILE__}"
 end
+=end