Make old password changes serializable

otwcode · Aug 23, 2023 · 95a38d2 · 95a38d2
1 parent 03cafde
commit 95a38d2
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 3 deletions.
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -1,5 +1,5 @@
 class User < ApplicationRecord
-  audited
+  audited redacted: [:encrypted_password, :password_salt]
   include WorksOwner
 
   devise :database_authenticatable,

diff --git a/config/application.rb b/config/application.rb
@@ -75,8 +75,13 @@ class Application < Rails::Application
     # Keeps updated_at in cache keys
     config.active_record.cache_versioning = false
 
-    # This class is not allowed by deafult when upgrading Rails to 6.0.5.1 patch
-    config.active_record.yaml_column_permitted_classes = [ActiveSupport::TimeWithZone, Time, ActiveSupport::TimeZone]
+    # This class is not allowed by default when upgrading Rails to 6.0.5.1 patch
+    config.active_record.yaml_column_permitted_classes = [
+      ActiveSupport::TimeWithZone,
+      Time,
+      ActiveSupport::TimeZone,
+      BCrypt::Password
+    ]
 
     # handle errors with custom error pages:
     config.exceptions_app = self.routes

diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
@@ -161,6 +161,37 @@
       end
     end
 
+    context "password was recently changed" do
+      before do
+        pw = Faker::Lorem.characters(number: ArchiveConfig.PASSWORD_LENGTH_MIN)
+        existing_user.update!(password: pw, password_confirmation: pw)
+      end
+
+      redacted_value = "[REDACTED]"
+      redacted_arr = Array.new(2, redacted_value)
+
+      it "audits and redacts password changes" do
+        last_change = existing_user.audits.pluck(:audited_changes).last
+
+        expect(last_change["encrypted_password"]).to eq(redacted_arr)
+      end
+
+      it "deserializes old BCrypt password changes" do
+        salt = SecureRandom.urlsafe_base64(15)
+        bcrypt_password = BCrypt::Password.create(
+          ["another_password", salt].flatten.join,
+          cost: ArchiveConfig.BCRYPT_COST || 14
+        )
+
+        existing_user.update!(encrypted_password: bcrypt_password, password_salt: salt)
+
+        last_change = existing_user.audits.pluck(:audited_changes).last
+
+        expect(last_change["encrypted_password"]).to eq(redacted_arr)
+        expect(last_change["password_salt"]).to eq(redacted_arr)
+      end
+    end
+
     context "username was changed outside window" do
       before do
         travel_to ArchiveConfig.USER_RENAME_LIMIT_DAYS.days.ago do