Em 25-07-2011 09:55, Marius Mårnes Mathiesen escreveu:
On Mon, Jul 25, 2011 at 2:36 PM, Benjamin Podszun
<[email protected] <mailto:[email protected]>> wrote:
On Mon, Jul 25, 2011 at 3:33 PM, Marius Mårnes Mathiesen
<[email protected] <mailto:[email protected]>>
wrote:
On Mon, Jul 25, 2011 at 10:42 AM, Stefan Hoth
<[email protected] <mailto:[email protected]>> wrote:
iirc there is the possibility to add users via shell
script. This might a viable alternative and more
fool-proof than going around the system.
If you really want to know how the hashing is performed, use
the source:
https://gitorious.org/gitorious/mainline/blobs/master/app/models/user.rb#line150
Slightly off-topic: Being curious I followed the link. Any plans
to move away from SHA-1 in the (near) future? And to nothing but
bcrypt/scrypt?
Absolutely! I think Rodrigo's devise branch - which should be merged
into mainline later on - uses brycpt.
Hi, Marius, I'm sorry if you miss me, but I've been in a hurry since I
decided to change my job about a month ago...
Now, I need to learn how to speak and listen English, since my end
client is from USA. I mean, I'll be working for a company in Porto
Alegre, here in Brazil, but this company offers developers for other
companies and most of them are in USA.
If that wasn't enough, I still have to understand a Grails application
that is badly organized, which each tab being an iframe that has
Javascript merged in HTML views, remembering me PHP or ASP, with the
exception that the back-end code is written in Groovy, in separate
files... But the problem is that there's lot of duplication and not a
single automated test for the whole project. So, you can have an idea of
my pain trying to be integrated in this project so that I can finish the
tasks I'm supposed to do. And additionally, having to learn how to speak
and listen to English :)
After this status report, and changing the subject back to Devise
integration, actually Devise supports several algorithms and not only
bcrypt.
Let me take the chance to say where the conversion to Devise has
stopped. Let me try to remember since there are some weeks since I last
worked on it...
Currently, the branch seems to be working. Most of the tests pass, but a
single test, regarding OpenID is failing and integrating OpenID has been
my work in the last weeks I spent on this conversion to Devise.
Actually, I could already verify it is working for Google OpenID
provider. Most of the time I spent on this integration is searching some
way for testing this integration. I can't modify the former functional
test since the new approach is completely different and involves a Rack
middleware that does most of the authentication.
So I decided to write an integration test that would allow the
implementation to change in the future without the need to change the
test too.
Then, I found two simple OpenID providers written in Ruby (although it
could be written in any other language, but the two I found were in
Ruby), that I intended to launch before running the integration tests:
ROTS: https://github.com/roman/rots
passage: https://github.com/jondot/passage, or
http://blog.paracode.com/2011/04/14/passage-tiny-openid-provider/
The problem is that I didn't get it to work for some reason that I was
trying to understand. Just before the interview that set me up to the
new job, the last thing I noticed is that the current Gitorious
implementation works with both ROTS and passage, so there may be some
bug in my OpenID implementation, even if it does work with Google OpenID
provider.
When I get more comfortable with my new job, I'll continue to try to
figure out how to properly integrate and test OpenID. One of my concerns
were about replay attacks and I tried to simulate one by installing
Squid 3 as a proxy server. Then I learned that the proxies can't know
which URL were used in HTTPS/SSL connections, since this information is
also sent over the secure channel. So, part of my time, I was concerned
about security issues with OpenID... So, as long both Gitorious and your
OpenID provider offer HTTP over SSL, I guess you should be safe.
Well, that is it. I hope to get more comfortable with my new position
soon, so that I can finish this move to Devise... :)
Well, guys, I missed you ;)
Cheers!
--
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
