Ripta,
Right, I realized that. My question isn't about why is this the way it is,
I understand that, but instead my question is do we think this correct? I'm
just debating whether I want to use BCrypt::Password given that it has these
weird gotchas. The two basic rules that are violated here are:
If a == b is true, then b == a should also be true
the practical case of this could be this (although not a common case):
pass = "foo"
u.password = "foo"
.... somewhere way later in the code
if pass == u.password # this should be true, but won't be
if u.password == pass # you just have to know to do it this way
and
If a = b (assign b to a), then a == b should be true
that means that doing this doesn't work as you'd expect (not knowing that
password is BCryptHash and not a regular String):
u.password = u.password_confirmation = "test"
but I guess having these gotchas is just the trade off of using BCryptHash.
On Mon, Jun 28, 2010 at 10:22 AM, Ripta Pasay <[email protected]> wrote:
> When you check equality on a BCryptHash, you're supposed to call
> BCrypt::Password#==, which happens when you call u.password ==
> u.password_confirmation because--as your test in problem #2 reveals,
> password is a BCrypt::Password.
>
> But when you call u.password_confirmation == u.password, what you're
> really calling is String#==, which doesn't know how to compare a string with
> a BC::P.
>
> I'm not positive about problem #2, but if I had to guess, it's because
> password_confirmation is also a BC::P. validates_confirmation_of calls
> BC::P#==, which converts the password_confirmation--that's already been
> hashed--to a string (BC::P#to_s), then hashes it again. I think setting
> password_confirmation to the password string directly ("test") should make
> the confirmation validation pass.
>
> -rp
>
>
> On Jun 28, 2010, at 8:41 AM, Paul Barry wrote:
>
> Anyone have any comments on this?
>
> http://gist.github.com/455346
>
> --
> You received this message because you are subscribed to the Google Groups
> "DataMapper" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/datamapper?hl=en.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "DataMapper" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected]<datamapper%[email protected]>
> .
> For more options, visit this group at
> http://groups.google.com/group/datamapper?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"DataMapper" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/datamapper?hl=en.
