Existing users could not log in after adding pepper layout

Question

Existing users could not log in after adding pepper layout

We have a production database with thousands of users, in the latest version we added ready-made peppers for greater security.

Existing users are now unable to log in. but new users created after release can log in.

I think the problem is using the salt used to encrypt the password before and after the release.

Is there a way that allows users (users created before pepper integration and users created after pepper integration) to log in?

+4

authentication ruby-on-rails devise

Amardeep jadhav Mar 12 '18 at 8:00

source share

2 answers

, : script:

begin
  c_pool = ActiveRecord::Base.establish_connection # initialize connection pool
  conn = c_pool.connection # create connection object

  # Fetch number of users that were old
  result = conn.execute("SELECT count(*) from users WHERE created_at < '2018-03-12 08:37:46'", )

  count = result.try(:[], 0).to_i

  batch_size = 100
  my_offset = 0

  while (count > 0) do
    users = User.where("created_at < ?", '2018-03-12 08:37:46').limit(batch_size).offset(my_offset)

    break unless users.present? # Exit from loop if no users.

    users.each do |u|
      u.password = u.old_password_field
      u.save # This will update password_digest column of the user.
      count -= 1
    end

    my_offset += batch_size
  end
rescue => e
  Rails.logger.error "#{e.message}"
ensure
  ActiveRecord::Base.clear_active_connections!
end

. , , .

script .

+1

Cyclops 12 . '18 12:16

Sudarshan Dhokale · Accepted Answer · 2018-03-14T07:22:34+0000

DEVISE_PEPPER, , . reset DEVISE_PEPPER , rails.

Existing users could not log in after adding pepper layout

More articles: