chapter 7.2
again, let's start from TDD again!!!!!!!!!!!!!!
1. since we define the encrypt_password into private area, how do we test it????????
ok, we need some public interface to use it. (TDD by acting as a client, the test motivate us to design a useful interface right from the start)
authentication involves comparing the encrypted version of submitted password to the encreptyed_password in the database. This means we need to define a method:
has_password?
this will be public interface.
def has_password?(submitted_password) # to do end
for the test:
describe "has_password? method" do it "should be true if the passwords match" do @user.has_password?(@attr[:password]).should be_true end it "should be false if the passwords don't match" do @user.has_password?("invalid").should be_false end end
2. study some secure password theory:
a. instead of storing the raw password, we store a hashed password,
b. this hashed password is inreversible, this means even the hacher get the encrypted password, he can't infer the original.
c. to do the authentication, we first encrypt the submitted password, then do compare.
for examle, we use SHA2 to hash the password:
require "digest"
def secure_hash(string)
Digest::SHA2.hexdigest(string)
end
password = "secret"
encrypted_password = secure_hash(password)
submitted_password = "secret"
encrypted_password == secure_hash(submitted_password) ======> true
Digest::SHA2.hexdigest(string)
this is one-way, it is impossible to deduce the original password from the hashed value.
But:
we still have a problem: if the hacker ever hold the hashed password, and he can guess we use SHA2, and write a program to compare the given hash to the hashed values of many common password, to find the original password!!
so we are still in a security hole!!!
how to solve it?
the answer is "salt"!!!
for example:
Time.now.utc
password = "secret"
salt = secure_hash("#{Time.now.utc}--#{password}")
encrypted_password = secure_hash("#{salt}--#{password}")
This password is impossible to crack!!
For clarity, arguments to hashing functions are often separated with "--"
3. now we are ready to implement has_password? method:
def has_password?(submitted_password) encrypted_password == encrypt(submitted_password) end
as long as the submitted password using the same salt, it will work fine.
5. we need to add a new column called salt to the users table.
rails g migration add_salt_to_users salt:string
rake db:migrate
rake db:test:prepare
6. finally, we will implement the full.
require 'digest' class User < ActiveRecord::Base before_save :encrypt_password def has_password?(submitted_password) encrypted_password == encrypt(submitted_password) end private def encrypt_password self.salt = make_salt unless has_password?(password) self.encrypted_password = encrypt(password) end def encrypt(string) secure_hash("#{salt}--#{string}") end def make_salt secure_hash("#{Time.now.utc}--#{password}") end def secure_hash(string) Digest::SHA2.hexdigest(string) end end
ok, let's run the test, it will pass:
rspec spec/models/user_spec.rb -e "has_password\? method"
发表评论
-
12.3.3 scaling issue of the status feed
2011-10-30 17:54 788the problem of the implementati ... -
12.3 the status feed
2011-10-30 15:34 8421. we need to get all the micro ... -
12.2 a working follow button with Ajax
2011-10-29 18:10 8961. in the last chapter, in the ... -
12.2 a web interface for following and followers.
2011-10-28 22:14 8581.before we do the UI, we need ... -
12. following user, 12.1 relationship model
2011-10-18 14:29 7291. we need to use a relationshi ... -
11.3 manipulating microposts.
2011-10-17 15:31 8821. since all micropost actions ... -
11.2 show microposts.
2011-10-17 12:01 6831. add test to test the new use ... -
11.1 user micropost -- a micropost model.
2011-10-17 10:43 10871. we will first generate a mic ... -
10.4 destroying users.
2011-10-16 15:47 715in this chapter, we will add de ... -
10.3 showing users list
2011-10-15 20:41 757in this chapter, we will do use ... -
10.2 protect pages.
2011-10-15 15:11 634again, we will start from TD ... -
10.1 updating users.
2011-10-14 18:30 6931. git checkout -b updating-use ... -
9.4 sign out
2011-10-13 15:21 718whew!!!, last chapter is a long ... -
9.3 sign in success.
2011-10-12 15:39 7211. we will first finish the cre ... -
9.1 about flash.now[:error] vs flash[:error]
2011-10-12 15:37 703There’s a subtle difference ... -
9.2 sign in failure
2011-10-12 12:19 643start from TDD!!! 1. requir ... -
9.1 sessions
2011-10-12 10:00 636a session is a semi-permanent c ... -
what test framework should you use?
2011-10-11 16:56 0for integration test, i have no ... -
what test framework should you use?
2011-10-11 16:56 0<p>for integration test, ... -
8.4 rspec integration tests
2011-10-11 16:53 699in integration test, you can te ...
相关推荐
使用命令 `mysql_secure_installation` 初始化数据库。 ### 启动数据库 启动数据库是 MySQL 安装的最后一步骤。在这个步骤中,需要启动 MySQL 服务器,使用命令 `systemctl start mysqld` 启动数据库。 ### 简单...
7.7. Secure Shell 8 Sub-projects 8.1. The Ports Subproject 8.2. The FreeBSD Documentation Project References List of Figures 3-1. The FreeBSD Project's structure 3-2. The FreeBSD Project's structure ...
Section 7.2. The URLEncoder and URLDecoder Classes Section 7.3. The URI Class Section 7.4. Proxies Section 7.5. Communicating with Server-Side Programs Through GET Section 7.6. Accessing ...
在本文中,我们介绍了在CentOS 7.2上安装MariaDB的详细步骤,包括配置防火墙开放端口,以及使用mysql_secure_installation脚本进行数据库的安全配置。MariaDB是一个稳定可靠、功能强大的数据库管理系统,广泛应用于...
在本文中,我们将详细探讨如何在CentOS 7.2系统上安装Zabbix 3.2监控服务器。Zabbix是一款开源的企业级监控解决方案,能够监控各种网络参数以及服务器、应用程序的健康状况。在CentOS 7.2环境下,安装Zabbix涉及到多...
在本文中,我们将详细探讨如何在CentOS 7.2操作系统上安装和配置MySQL 5.7.x。MySQL是一款广泛使用的开源关系型数据库管理系统,它为各种规模的应用提供了可靠的数据存储解决方案。 首先,确保你的系统是CentOS 7.2...
mysql_secure_installation ``` 5. 如果遇到mysqli扩展的Client API版本不一致的问题,需要检查`php.ini`中的配置,确保PHP与MySQL的客户端库版本匹配。如果需要,可以重新安装对应版本的PHP MySQL扩展。 完成上述...
UID (user ID) and process isolation compatibility ensures that applications are isolated from each other and from the system, providing a secure environment for users. ##### 9.3 Filesystem ...
PEP 456: Secure and Interchangeable Hash Algorithm PEP 436: Argument Clinic Other Build and C API Changes Other Improvements Significant Optimizations Deprecated Deprecations in the Python API ...
Section 7.2. Modular Arithmetic Section 7.3. Primes Section 7.4. Euclid's Algorithm Section 7.5. Chinese Remainder Theorem Section 7.6. Zn* Section 7.7. Euler's Totient Function Section ...
1. **MD5与SHA系列**:MD5(Message-Digest Algorithm 5)和SHA(Secure Hash Algorithm)是一类常用的哈希函数,它们将任意长度的数据转换为固定长度的摘要。虽然这些算法不可逆,但它们不适用于加密,因为存在碰撞...
`sudo mysql_secure_installation` 按照提示回答所有的问题,包括设置 root 密码、删除匿名用户、禁止 root 远程登录等。 5. 安装 PHP PHP 是一个流行的脚本语言,用于开发 Chevereto 图床。使用以下命令来安装 ...
4. **password_hash 和 password_verify**:专为存储用户密码设计,提供安全的哈希和验证功能,避免明文存储。 5. **OpenSSL 函数**:如`openssl_random_pseudo_bytes`用于生成随机密钥,`openssl_cipher_iv_length...
7.2. Zend_Controller 基础 7.3. 前端控制器 7.3.1. 概述 7.3.2. 主要方法 7.3.2.1. getInstance() 7.3.2.2. setControllerDirectory() 和 addControllerDirectory() 7.3.2.3. dispatch() 7.3.2.4. run() ...
- 示例: `create profile secure limit PASSWORD_REUSE_MAX 5;` - 示例: `alter user john profile secure;` - **给账户解锁**: 使用 `unlock` 关键字解锁用户账户。 - 示例: `alter user john account unlock;`...
这将显示CentOS Linux的版本信息,例如`CentOS Linux release 7.2.1511 (Core)`,确保你的系统是7.3或更高版本,因为MySQL 5.7可能不支持较旧的版本。 接下来,我们需要下载MySQL的Yum Repository。MySQL的Yum ...