Ensure bcrypt also uses pepper for backward compatibility.

2026-04-28 03:00:29 -04:00 · 2010-09-28 17:45:06 +02:00
parent ab690bf36f
commit fbb77a6edd
2 changed files with 5 additions and 5 deletions
--- a/lib/devise/models/database_authenticatable.rb
+++ b/lib/devise/models/database_authenticatable.rb
@@ -31,8 +31,8 @@ module Devise
      end

      # Verifies whether an incoming_password (ie from sign in) is the user password.
-      def valid_password?(incoming_password)
-        ::BCrypt::Password.new(self.encrypted_password) == incoming_password
+      def valid_password?(password)
+        ::BCrypt::Password.new(self.encrypted_password) == "#{password}#{self.class.pepper}"
      end

      # Set password and password confirmation to nil
@@ -75,11 +75,11 @@ module Devise

      # Digests the password using bcrypt.
      def password_digest(password)
-        ::BCrypt::Password.create(password, :cost => self.class.stretches).to_s
+        ::BCrypt::Password.create("#{password}#{self.class.pepper}", :cost => self.class.stretches).to_s
      end

      module ClassMethods
-        Devise::Models.config(self, :stretches)
+        Devise::Models.config(self, :pepper, :stretches)

        # We assume this method already gets the sanitized values from the
        # DatabaseAuthenticatable strategy. If you are using this method on
--- a/lib/devise/models/encryptable.rb
+++ b/lib/devise/models/encryptable.rb
@@ -49,7 +49,7 @@ module Devise
      end

      module ClassMethods
-        Devise::Models.config(self, :pepper, :encryptor)
+        Devise::Models.config(self, :encryptor)

        # Returns the class for the configured encryptor.
        def encryptor_class